Incident Response Retainer Addendum
SENTINELONE INCIDENT RESPONSE RETAINER ADDENDUM
This SentinelOne Incident Response Retainer Addendum (“IR Addendum”) describes the terms and conditions for the IR Services (as defined below) provided by SentinelOne, Inc. or one of its Affiliates (collectively “SentinelOne”) to the SentineOne customer (“Customer”) who subscribed to the SentinelOne Solutions (“Solutions”) under the SentinelOne Master Subscription Agreement (“MSA,” available on the SentinelOne website www.sentinelone.com/legal/master-subscription-agreement/, or another version of the MSA agreed to in writing among the Customer and SentinelOne and who also purchased IR Hours (defined below) as stated in a valid Quote or Purchase Order. SentinelOne and Customer may sometimes be referred to herein as a “Party” and together the “Parties.” The Parties agree as follows:
1. Definitions. Certain capitalized terms used in this IR Addendum shall have (i) the meaning assigned to such terms where defined, and (ii) if not defined in this IR Addendum, the meaning assigned to such terms in the MSA. The following terms have the described meaning in this IR Addendum:
1.1 “Incident” means any occurrences or suspected occurrence of:
1.1.1. Hostile action(s), or a threat of hostile action(s), that has the intent to affect, alter, copy, corrupt, destroy, disrupt, damage, or provide unauthorized access to Customer’s computer system(s) or computer network(s);
1.1.2. Threat of, or actual introduction, implantation, or spread of a corrupting, harmful, or otherwise unauthorized piece of code that infiltrates computer system(s), including a set of unauthorized instructions, programmatic or otherwise, that propagates itself through Customer’s computer network(s) such as computer viruses, Trojan horses, worms, and time or logic bombs; or
1.1.3. An attack on Customer’s computer system(s) or computer network(s) that results in the degradation or loss of proprietary information or quality of service of computer system(s) or computer network(s).
1.2. “IR Services” means incident scoping & investigation, containment, eradication, malware analysis, incident documentation and transitioning incident details to additional designated incident response partners of Customer if requested by Customer.
2. Pricing for IR Services Level.
2.1. The Customer shall pay for IR Services as indicated in the Purchase Order from Customer or a Partner that references a valid Quote received from SentinelOne. The number of hours for IR Services are as indicated in the Purchase Order (“IR Hours”). If IR Hours are part of another service offered by SentinelOne then the payment for such other service shall apply. SentinelOne will allocate resources to fulfil any commitment for IR Hours purchased under this IR Addendum and any unused IR Hours at the end of the then current IR Addendum Term shall expire. All fees paid hereunder are nonrefundable. The Customer may purchase additional IR Hours at a rate indicated in the table below for Customer’s current IR Services Level. The Customer shall pay the fees for the IR Services Level and any additional IR Hours in accordance with the payment terms of the MSA.
2.2. Expenses are not included. SentinelOne provides all IR Services remotely and is not required to go onsite at one of Customer’s facilities. However, in the event both Parties agree that SentinelOne will perform some IR Services onsite, then Customer shall reimburse SentinelOne for the reasonable expenses for travel, lodging, communications, shipping charges and out-of-pocket expenses incurred by SentinelOne in connection with providing the IR Services (“Expenses”). SentinelOne will provide reasonable documentation for all Expenses as requested by Customer.
3. IR Retainer Services. SentinelOne will perform IR Services up the number of IR Hours purchased by Customer. Customer may also use its purchased IR Hours towards targeted threat hunting and guided post Incident improvements.
4. Retainer Process.
4.1. Upon receiving notice of or discovering an Incident, Customer shall inform SentinelOne to start IR Services by calling the number that a SentinelOne representative will provide to Customer (“IR Hotline”) and notify the person answering the IR Hotline that the Customer wishes to activate the IR Services (“Activation Request”). SentinelOne may change the phone number for the IR Hotline upon notice to Customer. In Customer’s Activation Request, Customer must include any reasonable instructions for a communication process between Customer and SentinelOne and what Customer perceives as the scope of the Incident. A minimum of four (4) IR Hours will be used per Activation Request received by SentinelOne.
4.2. Once SentinelOne receives a complete Activation Request, the following shall take place:
4.2.1. Delivery Manager Response. A SentinelOne engagement delivery manager (“Delivery Manager”) will initiate the IR Services and respond to the Customer within the timeframe specified in the IR Services Level Table below (“Initial Response”).
4.2.2. Initial Scoping of Incident: The Customer will explain what it believes the Incident is and SentinelOne will perform IR Services to validate and establish the scope of the Incident. SentinelOne will draft an engagement plan that SentinelOne will update as part of the IR Services.
4.2.3. Preservation & Installation: Depending on the incident, SentinelOne may review the Solutions configuration hygiene, logs collected, Deep Visibility results exported, install Deep Visibility and Ranger (as defined below) for the limited use of IR Services, and new SentinelOne Solutions installed on Endpoints as needed. Additional forensics collection tools may be used as needed. Similarly, SentinelOne Shell access and access in general should be granted to analysts. Data will be retained following best practices. Should any additional data be relevant and needed for IR Services, SentinelOne will request such and Customer shall be solely responsible to facilitate the collection, preservation and provision of that additional data to SentinelOne. “Deep Visibility” and “Ranger” are functions of the SentinelOne product offerings as described on SentinelOne’s website https://www.sentinelone.com/.
4.2.4. Incident Scope: A Delivery Manager will send Customer the initial findings within the timeframe specified in the IR Services Level Table below (“Initial Findings”). A Delivery Manager will schedule an update with Customer to go over the status and any Initial Findings to address the overall impact and scope of the incident.
4.2.5. Hand off to partner as needed: All relevant incident data and incident summaries will be made available to Customer, or at Customer’s written request, to a third party incident response partner.
4.2.6. Investigative report: On Customer’s written request, SentinelOne will create an investigative report summarizing the results of the IR Services.
4.2.7. IR Services Level Table. SentinelOne will provide the Initial Response and Initial Findings within the time period as indicated in the IR Services Level table below. SentinelOne will not be responsible for any delays due to Customer’s failure to provide information as required under this Agreement.
| IR Services Level Table | Time from when SentinelOne received the Activation Request |
|---|---|
| Initial Response | 8Hrs |
| Initial Findings | 24Hrs |
5. Customer Responsibilities.
5.1. The Customer agrees to:
5.1.1. Provide SentinelOne with copies of all configuration information, log files, intrusion detection events, and other supporting information required for the purposes of the investigation in a timely manner;
5.1.2. Manage the collection and dissemination of all information regarding an Incident with the Customer’s technical and managerial personnel, legal and public relations departments, others within the Customer’s enterprise, and other companies if applicable;
5.1.3. Be responsible for and facilitate all communications between the SentinelOne Investigative Response team personnel and any third-party vendors, including Internet service providers and content-hosting firms, used by the Customer to implement an internet presence;
5.1.4. For onsite engagements, provide a secure office or work area equipped with desks, chairs, telephones, and laptop computer connections (or analog telephone lines, as SentinelOne specifies) for use by the SentinelOne Investigative Response team personnel while working on project premises;
5.1.5. Provide the SentinelOne team personnel with access to computer systems, computer networks, and administrative access to systems as needed by SentinelOne and to enable network communications with SentinelOne’s investigative tools as agreed upon, which may include but is not limited to allowing SentinelOne to perform remote analysis of Your Data (as defined in the MSA), make full forensic images of computer systems and random access memory of such computer systems, and collect other relevant information;
5.1.6. Be responsible for the decision to implement (or not to implement) SentinelOne recommendations, the actions taken to do so, and the results achieved from such implementation;
5.1.7. Cooperate with SentinelOne’s requests in its provision of IR Services; and
Be responsible for data content, as well as the use and implementation of security and access controls.
6. Subcontractors. SentinelOne may retain sub-contractors in the event additional IR Hours are purchased by Customer or the scope of IR Services is expanded.
7. Warranty
SentinelOne warrants the provision of professional IR Service in accordance with the terms of this IR Addendum, however SentinelOne does not warrant or guarantee identification of every existing threat, any resolution of an Incident or any identified threat, error-free threat classification, correct incident prioritization, that IR Services are successful in removing or resolving threats, any desired outcome of the IR Services, satisfactory threat response or threat hunting. In subscribing to the IR Service, Customer acknowledges the foregoing disclaimers with respect to SentinelOne’s provision of the IR Service. Without limiting the foregoing, SentinelOne provides the IR Service as an “as is” service without any warranties, express or implied, including, without limitation, warranties of merchantability, fitness for a particular purpose, accuracy, non-infringement, or those arising by law, statute, usage of trade, or course of dealing.
8. Limitation of Liability.
EXCEPT FOR CUSTOMER’S OBLIGATION TO PAY FOR IR HOURS, IN NO EVENT WILL EITHER PARTY’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS IR ADDENDUM EXCEED FORTY THOUSAND ($40,000) DOLLARS. IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY LOSS OF PROFITS, LOSS OF USE, LOSS OF REVENUE, LOSS OF GOODWILL, ANY INTERRUPTION OF BUSINESS, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING OUT OF, OR IN CONNECTION WITH THIS IR ADDENDUM, WHETHER IN CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE, EVEN IF SUCH PARTY HAS BEEN ADVISED OR IS OTHERWISE AWARE OF THE POSSIBILITY OF SUCH DAMAGES. MULTIPLE CLAIMS WILL NOT EXPAND THIS LIMITATION. THIS SECTION WILL BE GIVEN FULL EFFECT EVEN IF ANY REMEDY SPECIFIED IN THIS IR ADDENDUM IS DEEMED TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.
9. Term and Termination.
The term of this IR Addendum will begin on the date of purchase of IR hours as indicated in a valid Quote or Purchase Order and continue for 12 months (the “Initial Term”). Thereafter, this IR Addendum will automatically renew for additional successive periods of twelve (12) months for the same IR Hours if purchased by Customer (each, “Renewal Term” and together with the Initial Term, “Term”), unless either Party notifies the other in writing no less than thirty (30) days prior to the close of the then-current Initial or Renewal Term of its intention not to renew. In the event the MSA terminates then this IR Addendum shall also terminate. IR Hours must be used within the same Initial Term or Renewal Term that they are purchased. Any unused IR Hours purchased in the Initial Term shall expire upon expiration of the Initial Term and any unused IR Hours purchased for any Renewal Term shall expire upon expiration of any such Renewal Term.
10. General Provisions.
10.1. Entire Agreement. This IR Addendum and the MSA sets forth the entire agreement and understanding of the Parties relating to the subject matter hereof, and supersedes all prior or contemporaneous agreements, proposals, negotiations, conversations, discussions and understandings, written or oral, with respect to such subject matter and all past dealing or industry custom. In the event of any conflict between the terms of the MSA and this IR Addendum, then the terms of this IR Addendum shall prevail with respect to the IR Services.
10.2. Independent Contractors. Neither Party will, for any purpose, be deemed to be an agent, franchisor, franchise, employee, representative, owner or partner of the other Party, and the relationship between the Parties will only be that of independent contractors. Neither Party will have any right or authority to assume or create any obligations or to make any representations or warranties on behalf of any other Party, whether express or implied, or to bind the other Party in any respect whatsoever.
10.3. Governing Law and Venue. This IR Addendum will be governed by and construed in accordance with the laws of the State of California applicable to IR Addendums made and to be entirely performed within the State of California, without resort to its conflict of law provisions. The state or federal court in Santa Clara County, California will be the jurisdiction in which any suits should be filed if they relate to this IR Addendum. Prior to the filing or initiation of any action or proceeding relating to this IR Addendum, the Parties must participate in good faith mediation in Santa Clara County, California (except an action or proceeding required to protect or enforce a Party’s Intellectual Property Rights). If a Party initiates any proceeding regarding this IR Addendum, the prevailing Party to such proceeding is entitled to reasonable attorneys’ fees and costs for claims arising out of this IR Addendum.