Rubrik Enterprise Edition Ransomware Recovery Warranty Agreement
This Rubrik Enterprise Edition Ransomware Recovery Warranty Agreement (“ Warranty Agreement ”) describes the terms and conditions for the provision of a Ransomware Recovery Warranty (“ Warranty ”) by Rubrik, Inc. (“ Rubrik ”) to Customer for its purchase of an Eligible Solution (defined below) . This Warranty Agreement governs the Warranty, which must be approved by Rubrik and stated in the quote for the Eligible Solution between the authorized Rubrik reseller and Customer. Unless expressly defined herein, capitalized terms shall have the meaning ascribed to them in the Customer Agreement.
1.1 “Customer” means the company purchasing an Eligible Solution from Rubrik through an authorized Rubrik reseller.
1.2 “Customer Agreement” means the agreement(s) between Rubrik and Customer governing Customer’s use of the Eligible Solution.
1.3 “Discovery Time” means the exact time at which the Customer first discovers the Ransomware incident.
1.4 “Eligible Solution” means a subscription to Rubrik Enterprise Edition along with a concurrent subscription to a Customer Experience Manager (“CEM”) service.
1.5 “Event Date” means the date the Ransomware Incident first occurred; provided, however that each Ransomware Incident that forms part of the same, continuous, related or repeated Ransomware Incident (“Related Ransomware Incident”) shall be deemed to have the Event Date of the earliest Ransomware Incident or Pre-existing Incident (if applicable) that forms part of the Related Ransomware Incident.
1.6 “Health Check” means a periodic audit performed by Rubrik personnel and the resulting recommendations for various Rubrik platform configurations and system statuses, including but not limited to security best practices, data backup and SLA Policies to ensure the Rubrik platform is optimized for data protection, recovery and restore operations.
1.7 “Payment” means reimbursement of Recovery Incident Expenses that directly result from a Recovery Incident.
1.8 “Pre-existing Incident” means the actual or reasonably suspected presence of Ransomware in the Customer environment prior to the Customer’s applicable Warranty Period.
1.9 “Ransomware Incident” means a malware software program that infects Customer’s systems from external sources (i.e. in the wild), which installs, persists, and encrypts a material portion of files (“Ransomware”), and continues to demand payment (“Ransom”) in order to decrypt the encrypted files. For clarification, Ransomware does not include any malware introduced by the Customer or any third party to Customer’s internal systems, whether intentionally (i.e. malware testing) or through a breach in the system’s security.
1.10 “Recovery Incident” means an unsuccessful Recovery (defined in Section 2.1).
1.11 “Recovery Incident Expenses” means solely (and to the exclusion of all other fees, expenses, losses, settlements and damages) the reasonable and necessary fees and expenses to restore, recover, or recreate Customer data under the Warranty to the extent incurred by Customer as a direct result of a Recovery Incident. The foregoing fees and expenses constitute “Recovery Incident Expenses” only if: (1) incurred by Customer after obtaining Rubrik’s prior written approval to procure such services or incur such expenditures; (2) paid to a third party pre-approved in writing by Rubrik; (3) incurred by Customer within one (1) year following the Discovery Time of the applicable Ransomware Incident; and (4) payment and/or reimbursement does not violate any applicable domestic or foreign law, statute, regulation or rule as determined by Rubrik in its sole discretion. The foregoing fees and expenses incurred by a Customer’s Affiliate as a result of a Recovery Incident, and based on the use of an Eligible Solution by such Customer’s Affiliate shall, for purposes of this definition only, be deemed expenses incurred by Customer so long as such Customer Affiliate also complies with terms set forth herein. For clarity, Recovery Incident Expenses do not include (i) any third party restoration, recovery, or recreation attempts on a Rubrik platform or a Rubrik hosted cloud platform, or (ii) the cost of restoration, recovery, or recreation for Customer’s environment(s) managed or protected by Rubrik Edge and not successfully replicated to Eligible Solution software on Rubrik hardware, Rubrik-certified third party hardware, or a Rubrik hosted cloud platform.
1.12 “Rubrik Edge” means Rubrik software appliance that extends data protection and management to virtualized and physical remote and branch office environments.
1.13 “SLA Policy” means a configurable set of policies that the Customer applies in the Eligible Solution to achieve specific data protection objectives which includes point-in-time snapshots or backups of data sources, how long to keep the data, and replication/archive requirements.
2. RANSOMWARE RECOVERY WARRANTY.
2.1 The Warranty. Rubrik warrants to Customer that in the event of a Ransomware Incident with an Event Date that occurs during the Warranty Period, the Eligible Solution will enable Customer to materially restore the Customer data that was successfully backed up using the Eligible Solution software onto Rubrik hardware, Rubrik-certified third party hardware, or a Rubrik hosted cloud platform, to the last good backup within the Customer’s SLA Policy during the Warranty Period (“Recovery”). If Recovery of such Customer data is not successful due to a failure of the Eligible Solution software as determined by Rubrik, Customer’s sole and exclusive remedy, and Rubrik’s entire liability, subject to the terms herein, will be to reimburse Customer for its Recovery Incident Expenses directly resulting from the Recovery Incident (“Payment”), up to a maximum amount not to exceed the applicable Cap set forth in the table below.
The Customer data tiers above are calculated based on the amount of data Customer protects using the Eligible Solution software (i.e., data Customer backs up using products other than the Eligible Solution will not count toward those data tiers). Aggregate Payments for multiple Recovery Incidents with Event Dates in the Warranty Period shall not exceed the Cap. This Warranty extends only to Customer and its Recovery Incident Expenses and does not extend to any third parties (including, but not limited to suppliers, service providers, end-clients, and employees or agents of Customer) or any of their losses or damages.
2.2 Pre-existing and Related Ransomware Incidents. This Warranty does not extend to Pre-existing Incidents or Related Ransomware Incidents that include a Pre-existing Incident. Except as set forth in this Section 2.2, all Recovery Incident Expenses resulting from a Related Ransomware Incident shall be subject to the terms, conditions, exclusions and Cap in effect on the Event Date of the first discovered Ransomware Incident that forms part of the Related Ransomware Incident.
2.3 Disclaimer. EXCEPT FOR THE LIMITED WARRANTY PROVIDED IN SECTION 2.1 OF THIS WARRANTY AGREEMENT AND ANY WARRANTIES PROVIDED IN THE CUSTOMER AGREEMENT, THE ELIGIBLE SOLUTION IS PROVIDED AS IS.
3. CONDITIONS PRECEDENT TO WARRANTY PAYMENT. Rubrik shall only provide Payment to Customer if, at the time of the Ransomware Incident and throughout the Warranty Period:
- Customer has maintained an active subscription for the Eligible Solution (both Rubrik Enterprise Edition and CEM);
- Customer had deployed the most recent version of the Eligible Solution software as further described in Section 4.3 with the latest security patch available prior to the applicable Ransomware Incident;
- Customer had completed all Health Checks and implemented all Health Check recommendations in a timely manner;
- The Event Date and Discovery Time of the Ransomware Incident occurred, was discovered by Customer, and reported to Rubrik during the Warranty Period, and in accordance with Section 5;
- Customer has remained in compliance with its Customer Agreement, including without limitation any payment obligations;
- Customer has fully cooperated with Rubrik, including without limitation by (i) implementing all remedial and security measures recommended by Rubrik including the Requirements, (ii) providing all reasonably requested information, and (iii) complying with the Reimbursement Request process set forth in Section 6;
- Any systems to which the Customer seeks to restore Customer data successfully backed up by Rubrik are free of any malware, bugs, back-doors or other malicious code, and are otherwise secured; and 8. This Warranty is not restricted or prohibited by applicable law.
4. REQUIREMENTS. Customer acknowledges and agrees that security threats evolve over time, and Customer is responsible for maintaining the security (including securing its access credentials) in accordance with the then-current industry best practices. To qualify for the Warranty, in addition to the measures set forth in Section 3, Customer must comply with the following minimum security requirements throughout the Warranty Period (“Requirements”):
4.1 Data Security Best Practices. Customer must follow the Rubrik security best practices as defined in the latest version of the Security Hardening Best Practices Guide, which can be found on the Rubrik support portal or provided upon request and includes without limitation the following:
• Back-ups are successful and meet the SLA Policies
• Retention lock is enabled in the SLA Policies
• Multi-factor authentication for all user accounts
• SSH key-based with passphrase protected keys for CLI authentication
• User roles are assigned with least privilege access
• Data-at-rest and in-transit are always encrypted
• Secure protocols for third-party systems
• Create IP whitelisting that limits connections to Customer owned networks only
• SSL-certificate security for User Interface (UI) and APIs
• Secure service accounts
• Scoped API roles with least privilege
4.2 Customer Health Checks. Customer must agree to the following Health Checks, including granting Rubrik the necessary access and permissions to conduct the Health Checks:
• At initial deployment – the Customer must notify the CEM before deploying the Eligible Solution software in production, and the CEM will conduct an initial deployment Health Check to confirm the Eligible Solution software is configured properly and meets the applicable Requirements at that time
• On a monthly basis
• Upon a Ransomware Incident – as part of this Health Check, Customer will allow Rubrik to audit and verify the required security measures under this Warranty Agreement have remained in place throughout the Warranty Period
4.3 Additional Requirements. Customer must:
• Implement updates and upgrades to the Eligible Solution software as soon as reasonably practicable, consistent with industry best practices and in consultation with the CEM; and in no event later than six (6) months after the date of the latest release;
• Protect the Customer data under this Warranty with the SLA Policies recommended by Rubrik; • Include Customer data under this Warranty under the defined snapshot retention period in the applicable SLA Policy;
• Customer environment(s) with Rubrik Edge deployments must be successfully replicated to Eligible Solution software on Rubrik hardware, Rubrik-certified third party hardware, or a Rubrik hosted cloud platform; • Implement Radar and Sonar for ransomware detection and data classification;
• Send product metrics to Rubrik and open recommended ports/services for data transmission; • Implement change management best practices and informs CEM of any planned changes; and • Implement such other security measures and best practices as may be recommended by Rubrik from time to time over the course of the Warranty Period.
5. NOTIFICATION OF RANSOMWARE INCIDENT. If Customer discovers a Ransomware Incident during the applicable Warranty Period, Customer must notify Rubrik within twelve (12) hours of the Discovery Time of such Ransomware Incident by calling the Rubrik support team at the applicable hotline number found on www.rubrik.com/support/.
6. REMEDIATION AND REIMBURSEMENT REQUEST PROCESS.
6.1 Remediation and Reimbursement Request. Subject to this Warranty Agreement, if all remedial measures recommended by Rubrik after a Ransomware Incident have been exhausted and Rubrik determines a Recovery Incident occurred, Customer may submit a request for reimbursement of Recovery Incident Expenses (“Reimbursement Request”). Customer must submit such Reimbursement Request to Rubrik within one (1) year of Rubrik confirming a Recovery Incident and the Reimbursement Request shall include all information available to Customer regarding the Ransomware Incident and Recovery Incident. Rubrik shall review Customer’s Reimbursement Request and Customer shall provide any additional information reasonably requested by Rubrik at any time.
6.2 Payments. Customer shall provide Rubrik with evidence of Recovery Incident Expenses in accordance with Rubrik’s instructions. During the Warranty Period, and for a period of three (3) years thereafter, Rubrik shall have the right, at its own expense, to inspect, and Customer shall maintain and provide, Customer’s records related to such Recovery Incident Expenses upon reasonable written request during regular business hours. Except to the extent a Reimbursement Request arises out of an event that is later determined (1) not to be a Ransomware Incident, or (2) to relate to a Pre-Existing Incident, Rubrik hereby waives any and all rights it has or may have to reimbursement of Payments from Customer. Customer shall promptly (but in no event later than 30 days after written notice) reimburse Rubrik for all Payments related to a Reimbursement Request that arises out of an event that is later determined not to be a Ransomware Incident or that relates to a Pre-Existing Incident. Rubrik shall have no obligation to make any Payments that are prohibited by law. Customer must provide Rubrik such evidence and assurances that no Payment would be used by Customer to any person or entity subject to economic sanctions administered or enforced by the U.S. Treasury Department Office of Foreign Assets Control (OFAC), including any such person or entity listed on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List or otherwise prohibited under relevant law.
7.1 Entire Agreement. This Warranty Agreement constitutes the entire agreement between Customer and Rubrik regarding the Warranty and supersedes any and all prior agreements or communications between the parties with regard to the subject matter hereof. For the avoidance of doubt, this Warranty Agreement is in addition to the Customer Agreement; nothing in this Warranty Agreement is intended to supersede, modify or amend the Agreement, including any warranties therein. For the avoidance of doubt, the confidentiality terms in the Customer Agreement apply to this Warranty including without limitation any communications or information related to a Recovery Incident. In the event of any conflict or inconsistency between the terms of the Warranty Agreement and the Customer Agreement, the Warranty Agreement shall prevail. Rubrik may revise the terms and conditions of this Warranty Agreement or terminate the Ransomware Recovery Warranty program at any time without notice and without recourse to Customer; however, such modification or termination will not affect the Warranty Agreement in place at the time of a previous purchase of an Eligible Solution by the Customer. In the event of a successful Recovery, Customer agrees to participate in a Rubrik marketing case study on such Recovery.
In addition to and without limiting Rubrik’s rights set forth above in the immediately preceding paragraph, Rubrik reserves the right to modify or terminate this Warranty Agreement generally or in any jurisdiction, at any time, in its sole discretion, if: (i) the Warranty is construed to be an offer to insure or constitute insurance or an insurance contract or insurance service agreement by any governmental or regulatory authority in any jurisdiction; (ii) Rubrik is required to obtain a license or permit of any kind to continue to provide this Warranty in any jurisdiction; or (iii) Rubrik determines or a court or arbitrator holds that the provisions of the Warranty or this Warranty Agreement violate applicable law. If Rubrik modifies or terminates this Warranty Agreement in accordance with the foregoing, Rubrik will process all Reimbursement Requests that the Customer submitted prior to or as of the effective date of such modification or termination unless such processing is prohibited by law, regulation, ordinance, order, or decree of any governmental or other authority.
7.2 Limitation of Liability. IN NO EVENT WILL RUBRIK OR ITS SUPPLIERS BE LIABLE (UNDER ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STATUTE, TORT OR OTHERWISE) FOR ANY LOST PROFITS, LOST BUSINESS OPPORTUNITIES, BUSINESS INTERRUPTION, OR SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES, OR SUCH DAMAGES OR LOSSES WERE REASONABLY FORESEEABLE; AND IN NO EVENT SHALL RUBRIK’S LIABILITY UNDER OR ARISING FROM THIS WARRANTY AGREEMENT EXCEED CUSTOMER’S CAP AS SET FORTH IN SECTION 2.1 ABOVE FOR THE WARRANTY PERIOD. Multiple claims or Recovery Incidents shall not expand the limitation specified in the foregoing sentence. Any Payments, damages or losses paid under this Warranty Agreement shall accrue towards any liability cap set forth in the Customer Agreement. If the limitation of liability in this Section 7.2 is determined to be invalid under applicable law, this Warranty Agreement shall be deemed null and void.
7.3 Governing Law. This Warranty Agreement shall be governed by and construed in accordance with the laws of the State of California, U.S.A., without applying conflict of law rules. With respect to all disputes and actions arising from or related to this Warranty Agreement, the Parties irrevocably consent to exclusive jurisdiction and venue in the state and federal courts located in Santa Clara County. The United Nations Convention of Contracts for the International Sale of Goods (1980) is hereby excluded in its entirety from application to this Warranty Agreement. Nothing in this Section 16.15 (Governing Law) will limit or restrict either Party from seeking injunctive or other equitable relief from a court of competent jurisdiction.
7.4 Term and Termination. The Warranty Period commences on the date the Customer’s CEM performs the initial Health Check and confirms the Eligible Solution is configured to meet the Requirements and shall continue for the term of the Eligible Solution’s initial subscription term, unless terminated earlier in accordance with this Section 7.4 or the Customer Agreement (“Warranty Period”). Termination of the Customer Agreement shall terminate this Warranty Agreement. Termination of this Warranty Agreement shall not terminate the Customer Agreement. Customer may not assign this Warranty Agreement without the prior written consent of Rubrik, except to an Affiliate in connection with a corporate reorganization or in connection with a merger, acquisition, or sale of all or substantially all of its business and/or assets provided Customer provides Rubrik with notice of any such assignment no later than thirty (30) days after such assignment or change in control event is public. Any assignment in violation of this section shall be void and shall void this Warranty. Subject to the foregoing, all rights and obligations of the parties under this Warranty Agreement shall be binding upon and inure to the benefit of and be enforceable by and against the successors and permitted assigns.
7.5 This Warranty Agreement is not intended to and shall not be construed to give any third party any interest or rights (including, without limitation, any third party beneficiary rights) with respect to or in connection with any agreement or provision contained herein or contemplated hereby. For the avoidance of doubt, only the Customer has the right to enforce this Warranty Agreement or pursue claims relating to it against Rubrik.
7.6 This Warranty is not intended to constitute an offer to insure, does not constitute insurance or an insurance contract, and does not take the place of insurance obtained or obtainable by the Customer.