WIXLIB

Managed Cloud Application Security Service Annex4.4Options for IaaS (Infrastructure As A Service) protection: You may select the IaaS cloud services that you wantto be protected by the Managed Cloud Application Security Service. Where you select this Service Option, youwill incur additional Charges, which will be set out in the Order. The options available are:(a)(b)Amazon Web Services; andMicrosoft Azure.4.5Surcharge Data Centres: in certain countries or regions, you may restrict the hosting and processing of your datato Surcharge Data Centres within a geographic region. Where you select this Service Option, you will incuradditional Charges, which will be set out in the Order. Unless a Surcharge Data Centre is selected, data isProcessed in the USA.4.6Surcharge log data retention periods: you may upgrade the log data retention period (for Sanctioned IT only)from the standard 90 days to 12 months. Where you select this Service Option, you will incur additional Charges,which will be set out in the Order.4.7Downloadable McAfee Enterprise Cloud Connector: BT will provide you with the right to access, download, hostin your data centre and use the McAfee Enterprise Cloud Connector, to collect log data for Shadow IT features.BT does not provide support for this Service Option and Paragraph 5.6 will apply.4.8A full list of Service Options will be made available to you before you place your Order, the details of which willbe set out in the Order.5Service Management Boundary5.1BT will provide and manage the Managed Cloud Application Security Service as set out in Parts A, B and C ofthis Annex and as set out in the Order. The service management boundary is the point where traffic enters andleaves the infrastructure owned or controlled by the Supplier (“Service Management Boundary”).5.2BT will have no responsibility for the Managed Cloud Application Security Service outside the ServiceManagement Boundary.5.3You are responsible for making any necessary configuration changes for in-life management of the ManagedCloud Application Security Service, which can be accessed through the McAfee Portal, unless you haveselected the Premium Graded Service Tier in which case BT will make the necessary configuration changes.5.4BT does not support all of the features provided by McAfee. BT will provide a list of unsupported features, whichwill be set out in the Order.5.5BT does not guarantee that the Managed Cloud Application Security Service will detect or block all SecurityIncidents or Events or malicious threats, including data loss.5.6Certain Service Options may require you to have specific Customer Equipment that meets minimumspecifications, communicated to you by BT or the Supplier, to benefit from full functionality. BT will not beresponsible for any inability to provide the Managed Cloud Application Security Service or degradation of theManaged Cloud Application Security Service where you use the Managed Cloud Application Security Servicewithout the required Customer Equipment.6Associated Services and Third Parties6.1You will provide and maintain an Internet connection with sufficient bandwidth at all times for use with theManaged Cloud Application Security Service, including providing and maintaining any Customer Equipmentnecessary for such connection. You will pay all charges related to provision, maintenance and use of suchInternet connections and report any incidents on the Internet connections directly to the supplier of thecompatible Internet connections.6.2If BT provides you with any services other than the Managed Cloud Application Security Service, this Annex willnot apply to other services and those services will be governed by their separate terms.77.17.2Specific Terms and ConditionsMcAfee Portal7.1.1You will have access to the Supplier’s Internet based McAfee Portal, as set out in Paragraph 2.2.7.1.2You may identify and request multiple Administrators by supplying their email addresses to BT who willset up the associated account and provide an email with an activation link that will allow theAdministrator to set up an account password.Customer Transaction Logs7.2.1BT and the Supplier may use, reproduce, store, modify, and display on the McAfee Portal the informationfrom your logs for the purpose of providing the Managed Cloud Application Security Service.7.2.2Logs are:BTL BTGS MngdCldApplctnScrtySrvcAnnex published15Dec2020.docx15Dec2020Page 5 of 33

Managed Cloud Application Security Service Annex7.2.3(a)Shadow IT log – the information in this log is provided by your firewalls and proxies. It containsdetails about the cloud services in use in your organisation. It provides insight into the way yourUsers engage with the cloud, and assist your Shadow IT discovery effort.(b)Policy incident log – contains a unified summary of information on all DLP, Malware, AccessControl and security configuration audit policy incidents. Policy incident logs are used ininvestigating and indentifying any remediation action required.(c)Audit log - contains a list of all Events performed by registered application Users. This is used forinvestigations and for audit purposes.BT and the Supplier may use the log information related to the Managed Cloud Application SecurityService for the purpose of:(a)(b)(c)(d)(e)7.3maintaining and improving the Managed Cloud Application Security Service;complying with all legal or contractual requirements;discovering Shadow IT cloud services in use within an organisation, identifying high riskapplications and advising on remediation;anonymously aggregating and statistically analysing the content; andother uses related to the analysis of the Managed Cloud Application Security Service.7.2.4BT will use reasonable endeavours to transmit and store the logs securely.7.2.5BT will store the logs in their raw state or compress them if appropriate.7.2.6You will confirm your specific logging requirements at the time of placing the Order. BT may raise aCharge for any of your specific requirements that BT deems are non-standard.7.2.7The Supplier will retain the log data for Sanctioned IT for a rolling 90 days period during the provision ofthe Managed Cloud Application Security Service, and will retain a summary of your logs for a rolling 12month period during the provision of the Managed Cloud Application Security Service.7.2.8The Supplier will retain the log data for Shadow IT. Data in cloud infrastructure is aggregated on a daily,weekly and monthly basis. Aggregation keeps daily data for 45 days, weekly data for 13 weeks andmonthly data for 14 months. Daily data is rolled up and summarised to weekly, and, weekly data is rolledup and summarised to monthly. Any data older than 14 months is deleted by default.7.2.9You may upgrade the Managed Cloud Application Security Service from retaining logs for SanctionedIT from 90 days rolling to 12 months at an additional Charge as set out in the Order, if you have selectedthe surcharge log data retention periods Service Option set out in Paragraph 4.6.7.2.10At the end of the Managed Cloud Application Security Service, the Supplier will delete the CustomerTransaction Logs, in accordance with the 90 days or 12 months retention cycle set out in Paragraph 4.6,unless you request in writing to BT that the Customer Transaction Logs are maintained for an additionaltime period, which will be subject to agreement and an additional Charge to be agreed between youand the Supplier.Suggestions, Ideas and FeedbackYou agree that the Supplier and/or BT will have the right to use or act upon any suggestions, ideas, enhancementrequests, feedback, recommendations or other information provided by you relating to the Managed CloudApplication Security Service, to the extent it is not your Confidential Information.7.4Supplier Terms7.4.1BT will only provide the BT Managed Cloud Application Security Service if you have entered into theSupplier Terms below, as may be amended from time to time by the Supplier:(a)(b)7.4.2If you do not comply with the Supplier Terms, BT may restrict or suspend the Managed Cloud ApplicationSecurity Service upon reasonable Notice, and:(a)(b)7.4.3if you have selected the Downloadable McAfee Enterprise Cloud Connector Service Option asset out at Paragraph 4.7, the Supplier’s Corporate End User Licence Agreement or EULA as setout in Appendix 2, as may be amended or supplemented by the Supplier to comply withApplicable Law. You will observe and comply with the EULA for all and any use of the applicableSoftware;the Supplier’s data protection agreement: .you will continue to pay the Charges for the Managed Cloud Application Security Service untilthe end of the Minimum period of Service; andBT may charge a re-installation fee to re-start the Managed Cloud Application Security Service.You will enter into the Supplier Terms for your own benefit and the rights, obligations,acknowledgements, undertakings, warranties and indemnities granted in accordance with the SupplierTerms are between you and the Supplier and you will deal with the Supplier with respect to any loss orBTL BTGS MngdCldApplctnScrtySrvcAnnex published15Dec2020.docx15Dec2020Page 6 of 33

Managed Cloud Application Security Service Annexdamage suffered by either you or the Supplier as such loss or damage will not be enforceable againstBT.7.4.47.5Where the EULA is presented in a ‘click to accept’ function and you requires BT to configure or installSoftware on your behalf, BT will do so as your agent and bind you to the EULA.Amendments to the BT Managed Security Service Schedule7.5.1Paragraph 5.4 of the Schedule will not apply.7.5.2Paragraph 5.5 of the Schedule will not apply.7.5.3Paragraph 6.2 of the Schedule will not apply.7.5.4The wording of Paragraph 9.5.2 is deleted and replaced by the following:9.5.2 In addition to the Charges set out at Paragraph 9.5.1 of the Schedule, if you terminateduring the Minimum Period of Service or any Renewal Period, you will pay BT:(a) for any parts of the Managed Cloud Application Security Service that wereterminated during the Contract, Termination Charges, as compensation, equal to:(i)(ii)(iii)(iv)7.5.5100 per cent of the Recurring Charges that are attributable to the McAfeelicences purchased for the remaining Minimum Period of Service or RenewalPeriod;100 per cent of the Recurring Charges that are attributable to the BTManaged Security Service excluding those attributable to the McAfeelicences for the first 12 months of the Minimum Period of Service;20 per cent of the Recurring Charges that are attributable to the BTManaged Security Service excluding those attributable to the McAfeelicences for the remaining Minimum Period of Service or Renewal Period; andany waived Installation Charges.The wording of Paragraph 11.4 of the Schedule is deleted and replaced by the following:11.4 The End of the ServiceOn termination of the BT Managed Security Service or the Managed Cloud Application Security Serviceby either of us, you will disconnect from the Managed Cloud Application Security Service.7.5.6On Time Delivery Service Levels and On Time Delivery Service Credits set out at Paragraph 13 of theSchedule will not apply to the Managed Cloud Application Security Service.BTL BTGS MngdCldApplctnScrtySrvcAnnex published15Dec2020.docx15Dec2020Page 7 of 33

Managed Cloud Application Security Service AnnexPart B – Service Delivery and Management88.1BT’s ObligationsService DeliveryBefore the Service Start Date and, where applicable, throughout the provision of the Managed CloudApplication Security Service, BT will:8.1.1provide you with contact details for the Service Desk that you will be able to contact to submit servicerequests, report Incidents and ask questions about the Managed Cloud Application Security Serviceincluding in relation to:(a)(b)(c)(d)(e)8.1.2work with you to prepare a deployment plan;8.1.3deploy the Service Options selected by you, including setup tasks such as:(a)(b)8.2login issues;API, reverse proxy and McAfee Portal connectivity issues (identified as being due to vendorplatforms);policy issues;policy incident issues; andcloud service blocking (false positives) for supported services only;identification of your firewalls, routers and proxy servers that will provide log data, and check thatthe format can be read and ingested into the Managed Cloud Application Security Service; andyour connectivity to the Managed Cloud Application Security Service;8.1.4set up and configure the McAfee Portal for your Administrators; and8.1.5configure the security policy prior to the Service Start Date and subsequently, at an additional Charge,where you request BT to do so. BT will not be responsible for defining your security policy and will not beliable for any consequences arising from a misspecification of your security requirements, or fromunforeseen consequences of a service configuration that contains misspecifications but is correctlyimplemented by BT.During OperationOn and from the Service Start Date, BT:8.38.2.1will work with the Supplier as necessary to restore the Managed Cloud Application Security Service assoon as practicable if you report an Incident with the Managed Cloud Application Security Service; and8.2.2may use its access rights as primary Administrator to the McAfee Portal to investigate and resolve anyIncidents notified by you to BT in accordance with Paragraph 5.2 of the Schedule.The End of the ServiceOn termination of the Managed Cloud Application Security Service by either one of us, BT, or the Supplier, asapplicable, will:99.18.3.1terminate your access to the McAfee Portal and Service Software and cease to provide all otherelements of the Managed Cloud Application Security Service; and8.3.2destroy or otherwise dispose of any of the saved Shadow IT log data after 14 months unless BT receivesa written request from you for deletion of all log data earlier than 14 months from the date of termination.BT, or the Supplier, as applicable, will not destroy or otherwise dispose of any of the saved SanctionedIT log data unless you submit a written request to BT if you require the deletion of all saved SanctionedIT log data.Your ObligationsService DeliveryBefore the Service Start Date and, where applicable, throughout the provision of the Managed CloudApplication Security Service by BT, you will:9.1.1establish and maintain your own internal support processes and helpdesk for Users and be responsiblefor communication with Users;9.1.2provide BT with all technical data and any other information BT may reasonably request from time totime without undue delay, to enable BT to supply the Managed Cloud Application Security Service toyou;9.1.3ensure that your firewall configurations and network settings allow the traffic types necessary for BT toprovide the Managed Cloud Application Security Service, including;BTL BTGS MngdCldApplctnScrtySrvcAnnex published15Dec2020.docx15Dec2020Page 8 of 33

Managed Cloud Application Security Service Annex(a)(b)(c)(d)9.2ensuring that external HTTP, HTTPS and FTP over HTTP requests (including all attachments, macrosor executable) are set up to be directed through the Managed Cloud Application SecurityService by making and maintaining the configuration settings required to direct external trafficvia the Managed Cloud Application Security Service, with BT’s assistance and support asreasonably required and you acknowledge that this external traffic is dependent on yourtechnical infrastructure;ensuring that internal HTTP/HTTPS/FTP over HTTP traffic (e.g. to the corporate intranet) is notdirected via the Managed Cloud Application Security Service;ensuring that your firewalls are open to access a number of the Supplier’s URLs that will be advisedto you by BT; andensure that you deploy in accordance with any specification provided by BT or the Supplier theMcAfee Enterprise Cloud Connector software in your own environment if you have selected theService Option at Paragraph 4.7.9.1.4ensure that you have access to the McAfee Portal;9.1.5use Customer Equipment that is interoperable and managed by you meets any Supplier requirementsfor Service Options that may be communicated to you by BT or the Supplier from time to time;9.1.6ensure that Customer Equipment is installed and operated according to applicable third party vendorspecifications and recommendations, and ensure that Customer Equipment has the capacity toforward traffic to the Supplier;9.1.7use one of the methods mandated and supported by the Supplier to authenticate Users;9.1.8ensure that you order the appropriate Managed Cloud Application Security Service Service Options foryour requirements; and9.1.9in relation to the McAfee Portal, request BT to set up each Administrator with an account with privilegesas appropriate for the Administrator’s role or as requested by you.During OperationOn and from the Service Start Date, you will:9.2.1observe and comply with the McAfee Cloud Services Agreement as set out at Appendix 1 for all or anyuse of the Managed Cloud Application Security Service and in addition to what it says in Clause 15 ofthe General Terms, if you do not comply with the McAfee Cloud Services Agreement, BT may r

(b) McAfee Web Gateway; (c) Palo Alto firewalls; (d) Blue Coat firewalls; (e) Fortigate firewalls; (f) Cisco ASA/Firepower firewalls; and (g) Checkpoint firewalls. 4.3 Options for SaaS (Software As A Service) protection: You may select the SaaS cloud services that you want to be protected by the Managed Cloud Application Security Service.