ThreatDown Managed Services Agreement

Effective Date: February 1, 2024

Please read the following terms and conditions carefully before utilizing the ThreatDown managed services (the “Managed Services”) that accompanies this ThreatDown Managed Services Agreement, as well as any accompanying documentation. The terms and conditions of this Agreement are an agreement between you and Company (defined below) and govern the use of the Managed Services.

Company” means: (a) if you are utilizing the Managed Services in the United States or Canada, Malwarebytes Corporate Holdco Inc., a Delaware corporation; and (b) if you are utilizing the Managed Services in any other country, Malwarebytes Corporate Holdco Ireland Limited, a company formed under the laws of Ireland.

Company is willing to provide the Managed Services to you only upon the condition that you accept all the terms contained in this Agreement. If you are accepting the terms of this Agreement on behalf of a company or other legal entity (including, if you are acting as a managed services provider authorized to offer Managed Services to your customers (such managed services provider, an “MSP”)), you represent and warrant that you have the authority, whether as an agent (including as an MSP) or otherwise, to bind that company or other legal entity (in the case of an MSP, including the end customers of the MSP), to the terms of this Agreement, and, in such event, “you” and “your” will refer to that company or other legal entity. If you do not accept all the terms of this Agreement, then Company is unwilling to provide the Managed Services to you and you must cease utilizing the Managed Services and destroy any destroy all copies of documentation relating to the Managed Services (including any customer report provided as part of the Managed Services) immediately.

This Company Managed Services Agreement and any sales order form(s) (“Sales Order Form”) you executed with Company for the Managed Services (this Company Managed Services Agreement and, together with the applicable service order(s), the “Agreement”) are an agreement between you and Company and govern your use of the Managed Services.

  1. Managed Services. During the term of this Agreement and subject to the terms and conditions herein, Company agrees to provide the Managed Services purchased by you in accordance with the terms of this Agreement.  This Agreement does not govern your license of any Company software.Such software is governed under the terms and conditions of the applicable software license agreement between you and Company. Managed Services non-transferable, and may not be transferred between endpoints, nebula accounts, or customer sites.
  2. Managed Services Price. The price, including, where applicable, tier pricing, will be set forth on each Sales Order Form.
  3. Purchases Through Resellers. If you purchased the Managed Services through an authorized reseller (“Reseller”) or an MSP, this Agreement will govern your use of those Managed Services. Your payment obligations for the Managed Services will be with the Reseller or the MSP, as applicable, and you will have no direct payment obligations to Company for such Managed Services purchases. Any terms agreed to between you and the Reseller or the MSP, as applicable, that are in addition to this Agreement are solely between you and the Reseller or the MSP, as applicable. No agreement between you and Reseller or the MSP is binding on Company, nor will it have any force or effect with respect to the rights in, or the operation, use or provision of, the Managed Services. If you are acting as a Reseller or an MSP and providing Managed Services to your customers, you agree to enter or to have entered into a written agreement with your customers, such agreement containing terms that are equally protective of Company’ rights set forth in this Agreement. Reseller or MSP, as applicable, shall indemnify Company for any claim, action or allegation arising from Reseller or MSP’s failure to bind its customers to terms that are equally protective of Company’ rights set forth in this Agreement.
  4. Customer Responsibilities. If you utilize the Managed Services, you will be responsible for abiding by the prerequisites and customer responsibilities set forth on the applicable Managed Services end-user technical documentation published by Company (“Documentation”).

    a. MDR Services. Managed Detection and Response Services (“MDR Services”) is a type of Managed Service solution offered by Company. MDR Services requires an active subscription to Company Endpoint Detection & Response (“EDR”) software on all your endpoints. You acknowledge that you understand that if an endpoint in an environment is not protected by EDR, a security risk may breakthrough the environment through the unprotected endpoint. Our MDR Services is only quoted and sold for deployment on all of your endpoints. If you have any endpoints that do not have EDR enabled, the efficacy of, and the ability for Company to provide, the MDR Services will be negatively impacted. Accordingly, you shall be responsible for ensuring that your endpoints have EDR enabled on all endpoints at all times so that you can utilize the intended benefits of the MDR Services. Where you increase the number of your endpoints in your environment during your subscription to the MDR Services, you hereby agree to promptly pay for MDR Services for such additional endpoints for the remainder of the then-ongoing term. Removal of any endpoint during the MDR Services subscription term shall not reduce the cost of the MDR Services, nor entitle you to any refunds or credits. If you are an MSP, you acknowledge and agree that you are responsible for implementing recommendations from MDR Services for your end customers.

    b. Prohibited Uses.  You shall not: (a) modify, alter, tamper with, or circumvent any aspect of the Managed Services; (b) transfer (except as expressly permitted in Section 16), sublicense, lease, rent or otherwise distribute the Managed Services to any third party; (c) make the functionality of the Managed Services available to any third party through any means; (d) test the Managed Services in order to find limitations or vulnerabilities, or (e) reverse engineer or attempt to or reverse engineer the Managed Services.
  5. Customer Acknowledgement.

    a. Unauthorized Access. You acknowledge and agree that you are responsible for your use of the Managed Services. You are fully responsible for the control of and/or access to your account, including limiting access to usernames and passwords and you agree to take all reasonable precautions to protect your username and password and access to your account. You will immediately notify Company in the event that you discover or believe that your account or username or password has been accessed in any unauthorized way. Neither Company nor any third party associated with providing any portion of the Managed Services will be liable to you or any third party for any failure by you to prevent unauthorized access to your account.

    b. Limitation of Managed Services. The Managed Services cannot and should not be relied upon to detect all malicious or other harmful or problematic files or data. Alternatively, neither Company nor any third party associated with providing any portion of the Managed Services is responsible in the event that the Managed Services may designate some files or data as malicious or harmful, when they are not.  You are responsible for all data and content that you post and/or access, even if it was monitored by the Managed Services. Neither Company nor any third party associated with providing any portion or the Managed Services is responsible in any way to the monitored or other content and materials. In addition, such monitoring does not guarantee detection of all malicious or other harmful or problematic files or data. We urge you not to access or read any suspicious files and/or information even if those were monitored using the Managed Services.

    c. Content. You understand that all information (such as data files, written text, computer software, code, music, audio files or other sounds, photographs, videos or other images, etc.) (“Content”) which you may be monitoring using the Managed Services are the sole responsibility of the person from which such content originated. You understand that although you are using the Managed Services, you may be exposed to Content that you may find harmful, unlawful, offensive, indecent or objectionable and that you use the Managed Services at your own risk. You agree that you are solely responsible for (and that neither Company nor any third party associated with providing any portion or the Managed Services has any responsibility to you or to any third party for) any Content that you access, use, transmit or display while using the Managed Services and for any consequences that your actions may have (including any loss or damage which Company or any third party associated with providing any portion or the Managed Services may suffer) by doing so.

    d. Ownership of Deliverables. Managed Services do not constitute “works for hire,” “works made in the course of duty,” or similar terms under laws where the transfer of intellectual property occurs on the performance of services to a payor. The only deliverable arising from the Managed Services is a report consisting primarily of Company findings, case status, and threat information. You own the copy of the report delivered to you (“Deliverable”), subject to Company ownership of the Company Materials. You agree that relative to you, Company exclusively owns any and all software (including object and source code), flow charts, algorithms, documentation, adversary information, report templates, know-how, inventions, techniques, models, Company trademarks, ideas and any and all other works and materials developed by Company in connection with performing the Managed Services (including without limitation all intellectual property rights therein and thereto) (collectively, the “Company Materials”) and that title shall remain with Company. For the avoidance of doubt, the Company Materials does not include any of your pre-existing information or other materials or data you provided. Upon payment in full of the amounts due hereunder for the applicable Managed Services and to the extent the Company Materials are incorporated into the Deliverable(s), you shall have a perpetual, non-transferable (except as expressly provided in the Section entitled Assignment), non-exclusive license to use the Company Materials solely as a part of the Deliverable(s) for your internal business purposes.
  6. Beta Features and Beta Releases. From time-to-time, Company, at its sole discretion, may make available to you optional features to its Managed Services (collectively “Beta Releases”). You are not required to use such Beta Releases.  Unless a particular Beta Release includes its own separate and specific terms and conditions, this Agreement will govern the usage of Beta Releases. Conditioned upon your compliance with the terms and conditions of this Agreement, Company grants you the ability to use the Beta Releases solely for your internal business purposes, and in the case of beta features and releases, for evaluation purposes. Beta Releases are sometimes provided as preview releases of new features and functionality, as well as quick fixes for resolving specific issues. Beta Releases are not fully tested by Company and may include significant issues. You acknowledge that Beta Releases are likely to present risks associated with their use. Company strongly recommends that you back up all of your data prior to using Beta Releases. Notwithstanding anything to the contrary in this Agreement, Beta Releases are provided “as is”, and do not carry any warranties or maintenance or support; similarly, in no event will Company be liable for any damage arising from the use of Beta Releases.
  7. Updates. You understand and agree that your purchase is not contingent on the delivery of any future functionality or features, or dependent on any oral or written public comments made by Company regarding future functionality or features. Company reserves the right to designate any updates, additional content or features as requiring separate payment or purchase of a separate subscription at any time.
  8. Term.

    a. The initial term of this Agreement commences on the date specified in the Sales Order Form accompanying the Managed Services (or if no such date is specified, the first date you have access to any portion of the Managed Services) and, in each case, continues for the period of time set forth in the Sales Order Form (or, if no such date is specified, for one year).Your order shall not automatically renew (unless you opt into autorenewal on your Sales Order Form). Where you opt into autorenewal, the renewal shall be for the same term and price except where Company has provided you with sixty (60) days’ notice of a change to the renewal pricing. Where you opt into autorenewal and later change your mind, you can avoid automatic renewal by providing us with at least thirty (30) days’ written notice (email sufficient) prior to the renewal date.

    b. Termination For Cause. Either party may terminate this Agreement for cause if the other party materially breaches this Agreement and such breach remains uncured after thirty (30) days’ written notice of such breach.

    c. Effect of Termination. Upon termination or expiration of this Agreement, your rights to the Managed Services terminates immediately and Company, at its discretion, may promptly disable your access to the Managed Services or the Managed Services account. If this Agreement is terminated by you in accordance with subsection b above, Company will refund you any prepaid fees for the Managed Services covering the remainder of the term of the applicable orders forms after the effective date of termination. If this Agreement is terminated by Company in accordance with subsection b above, you will pay any unpaid fees covering the remainder of the term of all applicable Sales Order Forms to the extent permitted by applicable law. In no event will termination relieve you of your obligation to pay any fees payable to Company for the period prior to the effective date of termination. Sections 10, 11, 12, 13, 14(a), 15, and 16 of this Agreement, and any provisions which explicitly state that they will continue, will survive any termination or expiration of this Agreement.
  9. Payment Terms.
    The price payable by you is the price stated in the Sales Order Form (or, if no such price is specified, the price set out in our then-current standard published price list). Our prices are exclusive of taxes, duties, levies, tariffs, and other governmental charges (including, without limitation, VAT) (collectively, “Taxes”). If we issue an invoice to you, all invoices are payable within 30 days of the invoice date unless specified differently in the invoice or Sales Order Form. You are responsible for payment of all Taxes and any related interest and/or penalties resulting from any payments made to us, other than any taxes based on Company’ net income.
    If you purchased the Managed Services through a Reseller or an MSP, your payment obligations are between you and the Reseller or the MSP, as applicable. See also Section 3 (Purchases Through Resellers).
  10. Privacy Policy.
    By entering into this Agreement you agree to the terms of Company’ privacy policy, which can be found at https://www.threatdown.com/privacy-policy (as may be updated from time to time, the “Privacy Policy”). More information concerning what data is collected and used by Company and how it is used is available in the Privacy Policy. Without limiting the Privacy Policy, you agree that Company may track certain data it obtains from your device, including data about any malicious software, exploits or other threats flagged through the Managed Services (including but not limited to potential sources of such threats, such as payload files, file format and recent URL’s visited). This information is collected and used for the purpose of providing the Managed Services, as well as tracking malicious software, exploits and other threats, and evaluating and improving Company’ products and services. We may share anonymized data relating to malicious software, exploits or other threats flagged by the Company software with third parties. You shall be responsible for any consents necessary for Company to perform the Managed Services on the data you provide it with access to, as well as for the use described in this section 10, and shall indemnify and defend Company relating thereto.
  11. Limited Warranty; Disclaimer.
    You represent and warrant (1) that you have the necessary rights, power and authority to transmit Customer Data to Company under this Agreement, (2) that you have and will continue to fulfill all obligations with respect to individuals as required to permit Company to carry out the terms hereof, including with respect to all applicable laws, regulations and other constraints applicable to Customer Data and (3) that, if acting as an MSP, you have the necessary rights, power and authority to bind the end customer to the terms of this Agreement. “Customer Data” means (i) any data provided by you to Company, (ii) your data accessed or used by Company, or transmitted by you to Company in connection with Company’ provision of services including the Managed Services, including, but not limited to, your data included in any written or printed summaries, analyses, or reports generated in connection with the Managed Services.

    Company warrants that it will perform the Managed Services, in a professional manner. You agree to provide prompt notice of any service concerns to Company, and in any event no later than the 7th day after such service concern has become known or identified (the applicable period, the “Notice Period”). The sole and exclusive remedy for any breach by Company of this Agreement is a reperformance of the applicable Managed Services for any service concerns provided during the Notice Period.   

    TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE LIMITED WARRANTY SET FORTH IN THIS SECTION 11 IS EXCLUSIVE AND LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED AND COMPANY AND ITS AFFILIATES DISCLAIM ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATURORY OR OTHERWISE. YOU UNDERSTAND THAT THE MANAGED SERVICES DO NOT CONSTITUTE ANY GUARANTEE OR ASSURANCE THAT THE SECURITY OF YOUR SYSTEMS, NETWORKS AND ASSETS CANNOT BE BREACHED OR ARE NOT AT RISK. COMPANY AND ITS AFFILIATES DISCLAIM ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, MALWAREBYTES AND ITS AFFILIATES SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT WITH RESPECT TO THE MANAGED SERVICES. THERE IS NO WARRANTY THAT THE MANAGED SERVICES WILL BE ERROR FREE, WILL IDENTIFY ALL THREATS, WILL OPERATE WITHOUT INTERRUPTION, OR WILL FULFILL ANY OF YOUR PARTICULAR PURPOSES OR NEEDS. COMPANY DOES NOT WARRANT ANY THIRD-PARTY PRODUCTS OR SERVICES.
  12. Limitation of Liability.
    IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY SPECIAL, INCIDENTAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF DATA, BUSINESS, PROFITS OR ABILITY TO EXECUTE) OR FOR THE COST OF PROCURING SUBSTITUTE PRODUCTS OR SERVICES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE PERFORMANCE OF THE MANAGED SERVICES, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

    THE ABOVE LIMITATIONS WILL SURVIVE AND APPLY EVEN IF ANY LIMITED REMEDY SPECIFIED IN THIS AGREEMENT IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.

    EACH PARTY’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL BE LIMITED TO AMOUNTS PAID OR PAYABLE BY YOU TO COMPANY FOR THE MANAGED SERVICES MADE AVAILABLE TO YOU DURING THE 12 MONTHS PRIOR TO THE EVENT GIVING RISE TO THE CLAIM, EXCEPT AS OTHERWISE SET OUT IN THIS SECTION 12. NO LIMITATION OF LIABILITY WILL APPLY TO EXCLUDED CLAIMS. “EXCLUDED CLAIMS” MEANS: (1) CLAIMS FOR WHICH LIABILITY CANNOT BE LIMITED UNDER APPLICABLE LAW; (2) CLAIMS THAT HAVE AROSE AS A RESULT OF FRAUD, WILLFUL MISCONDUCT OR GROSS NEGLIGENCE; (3) INDEMNIFICATION OBLIGATIONS; OR (4) BREACH OF SECTION 4(B) (PROHIBITED USES).
  13. Indemnification.
    You shall be responsible for and will defend, indemnify and hold harmless Company, its affiliates, and each of their respective directors, officers, employees and contractors from any damages actually incurred and finally adjudicated as to any third party claim, action or allegation (i) that the Customer Data infringes a copyright or misappropriates any trade secrets enforceable in the country(ies) where the Customer Data is accessed, provided to or received by Company, or was improperly provided to Company in violation of any individual’s rights, your privacy policies or applicable laws (or regulations promulgated thereunder), (ii) by your affiliates arising from or relating to the Managed Services, (iii) arising from a third party’s reliance on any results or output of the Managed Services, and (iv) in the case of an MSP, that you do not have the authority to act as an agent of your end customer or you do not have all necessary consents to bind the end customer to the terms of this Agreement.
  14. Export and Data Protection Laws.

    a. Export Law. You agree to comply fully with all U.S. and other applicable export laws and regulations to ensure that neither the associated software nor any technical data related thereto nor any direct product thereof are exported or re-exported directly or indirectly in violation of, or used for any purposes prohibited by, such laws and regulations.

    b. Data Protection Laws. To the extent Company processes personal information, as defined by applicable law (“Personal Data”) of a data subject on behalf of you as a processor as defined by any applicable data protection laws, it will do so only on documented instructions from you pursuant to this Agreement, to operate Company software or provide Company services, and as permitted or required by applicable law. In the event Company processes Personal Data for purposes other than the above, it will do so as data controller as defined under applicable data protection laws. By entering into this Agreement, you have instructed Company to process your Personal Data in such manner. To the extent mandated by applicable data protection laws, Company will: (1) take appropriate measures to ensure the security of Personal Data processed; (2) ensure that its personnel who process Personal Data are subject to a duty of confidence; (3) ensure that no third party processes any Personal Data received from you except in accordance with applicable data protection laws or with the consent of you as applicable; (4) reasonably assist you with your rights and obligations as data controllers, including assistance with: obligations in connection with data subject access requests and other data subject rights under applicable data protection laws; and controllers’ responsibilities concerning the security of processing and audit requirements; (5) notify you if a security incident has occurred that compromises the privacy, security or confidentiality of your Personal Data, provided that we have your contact information, investigate such security incident and take reasonable steps in mitigating the effects and minimizing any damage resulting from the security incident as required by applicable law; and (6) subject to applicable laws, delete Personal Data upon your request unless there is a statutory legal basis to retain it. The terms of the data processing addendum (“DPA”) at http://www.threatdown.com/legal are incorporated by reference and will apply to the extent Company receives any Personal Data as defined in the DPA. For the purposes of the E.U. Standard Contractual Clauses, you and your applicable affiliates are each the data exporter and your acceptance of this Agreement will be treated as its execution of the E.U. Standard Contractual Clauses and appendices. Company will only use the Personal Information we receive from you for performing the services specified in this Agreement. Personal Data may be sent to facilities hosted outside of the country where you purchased or utilizes the Company software. Company will comply with the European Economic Area data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area, appropriate transfer mechanisms, where applicable.
  15. Feedback; Marketing.
    If you provide any ideas, suggestions, or recommendations regarding the Managed Services or any Company products or services (“Feedback”), Company will be free to use, disclose, reproduce, license or otherwise distribute, and exploit such Feedback as it sees fit, entirely without obligation or restriction of any kind. By providing Feedback, you grant Company a worldwide, perpetual, irrevocable, sublicenseable, fully-paid and royalty-free license to use and exploit in any manner such Feedback.
  16. General.
    Except as set forth below, each party agrees to the governing laws and the exclusive jurisdiction, without regard to choice or conflicts of law rules, based on Your domicile as shown in the table below:
Your DomicileGoverning LawExclusive Jurisdiction
Canada, or the United States of AmericaDelaware lawThe state of federal courts located in the Northern District of California
Europe, the Middle East, or AfricaIrishThe courts located in Dublin, Ireland.
Asia and OceaniaSingaporeThe courts located in Singapore.

If You are accepting the Agreement on behalf of a U.S. federal government entity, then the following applies instead of the paragraph above: the laws of the United States of America, excluding its conflict of laws rules, will apply to any disputes arising out of or related to this Agreement. Solely to the extent permitted by U.S. federal law: (i) the laws of the State of Delaware (excluding Delaware’s conflict of laws rules) will apply in the absence of applicable federal law; and (ii) FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THE AGREEMENT OR THE SOFTWARE, THE PARTIES CONSENT TO PERSONAL JURISDICTION IN, AND THE EXCLUSIVE VENUE OF, THE COURTS IN SANTA CLARA COUNTY, CALIFORNIA.

If you are accepting this Agreement on behalf of a U.S. city, county, or state government entity, then the following applies instead of the paragraph above: the parties agree to remain silent regarding governing law and venue.

The United Nations Convention on Contracts for the International Sale of Goods will not apply.

You may not assign or transfer this Agreement or any rights granted hereunder, by operation of law or otherwise, without Company’ prior written consent, and any attempt by you to do so, without such consent, will be void. Except as expressly set forth in this Agreement, the exercise by either party of any of its remedies under this Agreement will be without prejudice to its other remedies under this Agreement or otherwise. All notices or approvals required or permitted under this Agreement will be in writing and delivered by email (we will email you at the email address you provided us when you initially purchased your license), and in each instance will be deemed given upon receipt. The failure by either party to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision. Any waiver, modification or amendment of any provision of this Agreement will be effective only if in writing and signed by authorized representatives of both parties. Nothing in this Agreement will be construed to create a partnership, joint venture or agency relationship between the parties. Neither party will have the power to bind the other or to incur obligations on the other’s behalf without such other party’s prior written consent. If any provision of this Agreement is held to be unenforceable or invalid, that provision will be enforced to the maximum extent possible, and the other provisions will remain in full force and effect. This Agreement is the complete and exclusive understanding and agreement between the parties regarding its subject matter, and supersedes all proposals, understandings or communications between the parties, oral or written, regarding its subject matter, unless you and Company have executed a separate agreement. Any terms or conditions contained in Your service order or other purchasing document that are inconsistent with or in addition to the terms and conditions of this Agreement are hereby rejected by Company and will be deemed null. You acknowledge that Company is not a Business Associate or subcontractor (as those terms are defined in Health Insurance Portability and Accountability Act commonly referred to as ‘HIPAA’) or a payment card processor and that the Software, SaaS Services, and any services provided may not be HIPAA nor PCI DSS compliant.