SaaS Solution Terms & Conditions Metallic’s SaaS Solution is the “easy button” for cost-effective, secure and scalable data management, backup and security, with a single command center, enabling organizations to deliver on data protection strategies. Built with layered, air-gapped cloud security, secure and restrictive account access and data isolation, Metallic’s SaaS Solution provides ease you can trust. 1. Getting Started. As a Customer you will register a Commvault account and provide Commvault with accurate and complete information (the “Customer Account”). Customers may authorize one or more of its employees, consultants, vendors or agents (collectively, “Authorized Users”) to access and use the SaaS Solution on Customer’s behalf. Each Authorized User will establish or be provided a username and password, and may also establish or be provided other access credentials, such as an encryption key (the “Access Credentials”). Customer acknowledges that its Authorized Users have full access to and management privileges of its Customer Account(s) and Customer Data. The term “Customer” is intended to include its Authorized Users for the purposes of the Terms. 2. SaaS Solution Agent. Customers may be required to download or install a software agent to support the SaaS Solution. Commvault grants Customers a limited, non-exclusive, non-sublicensable, non-transferable and revocable license to install, execute and use the agent solely in binary code form during the SaaS Solution Term, and access the SaaS Solution in accordance with the Privacy Policy, FAQs, website, user manuals and other information provided to assist Customer in its use and operation of the SaaS Solution (the “Documentation”). Customer’s license to the agent is co-terminus with Customer’s right to access and use the SaaS Solution for which the agent is required. Customer grants Commvault a worldwide, non-exclusive, royalty-free, fully-paid up, transferable and sublicensable right to use, replicate, deduplicate, and store Customer Data for the purpose of delivering the SaaS Solution pursuant to these Terms, improving the SaaS Solution, and as otherwise provided in Commvault’s Privacy Policy. “Customer Data” means the data transmitted by Customer to Commvault in connection with the provision of the SaaS Solution. 3. Global Availability and Support. 3.1 Global Service and Support. Commvault is proud to administer the SaaS Solution from global geographic locations that best suit our Customers’ needs. Where applicable and subject to data center availability, Customer Data will be backed up to a data center located in Customer’s country of origin, or in a geographic location selected by Customer. For additional information, refer to the SaaS Solution configuration portal. Commvault is pleased to provide Customers with the support program for the SaaS Solution as set forth at Metallic Support. The support terms are incorporated by reference and may be modified from time to time in Commvault’s sole discretion. Communications related to support of the SaaS Solution may be sent to customersuccess@metallic.io.3.2 Global Availability. The SaaS Solution is available at least 99.9% of the time measured on a monthly basis (“Uptime”). The Uptime does not apply to any downtime due to: (i) any emergency or planned maintenance, repair, or upgrade; (ii) issues or failures with Customer’s or its service providers’ services, applications, software, hardware or other components not supplied by Commvault; (iii) third-party attacks, intrusions, distributed denial of service attacks or force majeure events, including those at Customer’s site or between Customer’s site and data centers made available through the SaaS Solution; or (iv) Customer’s acts or omissions in violation of these Terms. In the event of Commvault’s Uptime failure, Commvault shall: (i) use commercially reasonable efforts to provide Customer with an error correction or work-around that corrects the Uptime failure; and (ii) provide Customer with a credit as set forth in the table below (a “Service Credit”), provided such Service Credit is approved by Commvault, such approval not to be unreasonably withheld. For the avoidance of doubt, service providers are not eligible for Service Credits. Within thirty (30) days of the downtime incident, Customer must submit a Service Credit claim to Commvault with all information necessary for Commvault to validate such claim, including: (i) a detailed description of the incident; (ii) information regarding the time and duration of the downtime; and (iii) a description of the attempts to resolve the incident. Service Credits will be applied to Customer’s next invoice. Customer is not eligible for any Service Credits if Customer’s use of the SaaS Solution is free of charge. This is Customer’s sole and exclusive remedy for any Uptime failure. SaaS Solution AvailabilityService CreditLess than 99.9%10%Less than 99%25% 4. Data Privacy & Security. 4.1 Commvault Privacy and Security Program. Customer data privacy and security is Commvault’s priority. Commvault represents and warrants that it maintains: (i) network security, business continuity and disaster recovery policies and procedures commensurate with industry best practices; and (ii) administrative, physical and technical safeguards designed to secure Customer Data from accidental or unauthorized access, use, alteration or disclosure. Commvault’s collection, use, processing, storage and disclosure of any personal data included in Customer Data shall be in accordance with applicable data protection laws and Commvault’s Privacy Policy. Customer acknowledges that it is Customer’s responsibility to verify that the SaaS Solution’ security and privacy protections are adequate and in compliance with all applicable laws governing the type of data included in Customer Data. Customer acknowledges (i) effective security is dependent on multi-layered, multi-faceted combination of solutions, deployed and managed in accordance with appropriate policies and procedures consistently applied, (ii) the quality of data, other output and strength of Customer’s threat detection program are dependent on the configuration and deployment of the deceptive environment by Customer and its Authorized Users, and (iii) no individual element alone is sufficient to detect and prevent all security threats, as a result Commvault does not warrant and disclaims liability that all security threats will be detected and prevented by the Solutions. Customer agrees to, and will ensure that each Authorized User will, notify Commvault at ITCompliance@commvault.com immediately upon learning of any suspicious access to its Customer Account. Commvault’s comprehensive privacy and security program is set forth in the Security Terms and incorporated herein by reference. 4.2 Access. Customer data privacy and security is Commvault’s priority. At times, Commvault may be required to access or disclose Customer Data: (i) to provision the SaaS Solution to Customer pursuant to these Terms; (ii) to respond to a validly issued subpoena, an investigative demand or warrant; (iii) to investigate or prevent security threats, fraud, or other illegal, malicious, or inappropriate activity; (iv) to enforce or protect Commvault’s rights and properties or those of its affiliates or subsidiaries; or (v) with the informed consent of the data subject. In the event Commvault is required to access Customer Data, Commvault shall not disclose Customer Data to third parties without Customer’s consent or instruction, unless prohibited by law. 5. Term. Commvault initiates activation of the SaaS Solution upon receipt of a valid purchase order, by providing Customer with access to an account (the “Activation Date”). The term of Customer’s subscription to the SaaS Solution shall begin on the Activation Date and continue as set forth on the applicable purchase order (the “SaaS Solution Term”). The SaaS Solution Term shall renew for an equal term unless either party provides written notice of non-renewal sixty (60) days prior to the renewal date. 6. Customer Acknowledgments. Customer agrees: (i) Customer is solely responsible for data retention policies and any other policy settings, schedules, and configurable parameters applied to Customer Data, including implementing its own specific retention policies, (ii) Customer and its Authorized Users will keep Access Credentials confidential, and Customer remains responsible for the acts and omissions of its Authorized Users and any activity that occurs under its Customer Account(s) using the Access Credentials; (iii) Customer will use the most current version of the SaaS Solution at all times, unless otherwise agreed in writing; (iv) Customer is responsible for the security of its Customer Data if Customer disables any encryption or other security feature within the SaaS Solution; and (v) Customer is responsible for maintaining its own internet and data connections, and components of the SaaS Solution that are accessed or used through internet connections and may be subject to Customers’ internet service providers fees and downtime. Customer acknowledges Customer Data may not be available if: (i) Customer’s initial backup and replication is not properly completed by Customer; (ii) Customer deletes Customer Data and does not restore it after deletion pursuant to Customer’s data retention policies; (iii) Customer selects incorrect or inappropriate retention policies within the SaaS Solution; (iv) Customer’s IT environment is unable to secure a connection with Commvault’s servers or network; or (v) Customer fails to follow Commvault’s technical requirements and the Documentation for utilizing the SaaS Solution, including installing updates, or failing to periodically test Customer’s backups and restores, or ensure that Customer Data is protected and not otherwise corrupted. Copyright Acknowledgment © 1997-2022 Commvault Systems, Inc. All rights reserved.