SIGNED BOARD REPORT�"��|E��������MONTEREY COUNTY BOARD OF SUPERVISORS
MEETING: May 17, 2011 Consent AGENDA NO: a19
SUBJECT: a. Approve and authorize on behalf of the Information Technology
Department, the Monterey County Contracts/Purchasing Officer to sign
the Qualys, Inc. Guard Tool Software Application End User Agreement,
for security vulnerability identification and remediation, in an amount not
to exceed $97,574 for the period of July 1, 2011 through June 30,2012; and
b. Accept Non-Standard County Liability and Indemnification Provisions as
recommended by the Director of Information Technology.
DEPARTMENT: Information Technology Department
RECOMMENDATIONS:
It is recommended that the Board of Supervisors:
a. Approve and authorize, on behalf of the Information Technology Department, the Monterey
County Contracts/Purchasing Officer to sign the Qualys, Inc. Guard Tool Software
Application End User Agreement, used for security vulnerability identification and
remediation, in an amount not to exceed $97,574 for the period of July 1, 2011 through June
30,2012; and
b. Accept Non-Standard County Liability and Indemnification Provisions as recommended by the
Director of Information Technology.
SUMMARY:
This agreement will compensate Qualys, Inc. for an information security vulnerability
identification and remediation system to perform regular and thorough vulnerability management
activities and audits throughout the County, spot new vulnerabilities immediately, and proactively
remediate them to protect County information assets against vulnerability exploitation. In the first
two months of 2011 alone, there were more than 106,000 instances of vulnerabilities identified
within the County, and over 130,000 attack attempts against the County to exploit known
vulnerabilities. The County used this system for the past five years, and it has been the primary
cause of a significant drop in the number of vulnerabilities present on County workstations, servers
and network devices, due to its highly accurate vulnerability assessments and remediation
information provided to administrators.
It is also requested that your Board approve non-standard liability and indemnification provisions
of the agreement.
DISCUSSION:
Since September of 2005, the County Information Technology Department ITD) has utilized the
QualysGuard scanning tool and service, first under an initial trial agreement, and for the past 4
years, as a paying customer of Qualys see attached documentation for previous service
agreements). This tool has provided the on-demand ability for ITD to scan County Information
Technology IT) assets for information security vulnerabilities, and compare them against an
industry-leading knowledge base of vulnerabilities with a 99.999% accuracy rate. In computer
security, the word vulnerability refers to a weakness in a system which can allow an attacker to
violate the confidentiality, integrity, availability, or audit mechanism of a system or the data and
applications it hosts. Vulnerabilities often result from bugs' or design flaws in a system. The
Qualys tool automatically provides the County with the results of such scans, including detailed
reports with verified remediation actions to be undertaken by County staff supporting
administrative, legal, health, finance, and social service systems.
BIB]
40689-U01
SIGNED-U02
BOARD-U02
REPORT-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102453-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
SIGNED BOARD REPORT�"��|E��������Security of County scans and the resulting information is ensured by end-to-end encryption of
vulnerability data and SAS/70 audited security architecture to provide maximum data protection.
The County was originally presented with an as-is" agreement for this tool. During the trial
period, the County was able to negotiate more favorable terms with the vendor and has achieved
improvements to the vendor's standard agreement in several areas. These terms have persisted
through the last four years of agreements we have signed and continue to maintain with the vendor.
This agreement is for a renewal of our existing service with the vendor.
The vendor is unwilling to accept an indemnification clause with no limits, and the ITD has agreed
to an indemnification limit of three times the fees paid during the previous 12 months. The IT
Director believes that the continued reductions in security risks to the County outweigh the risks
associated with this agreement.
OTHER AGENCY INVOLVEMENT:
The County Counsel and Auditor-Controller have reviewed the Agreement and concur. The
Agreement is on file with the Clerk of the Board.
FINANCING:
There is no impact to the General Fund. Funds for the Agreement have been included in the FY
2011-12 Recommended Budget ITD 1930, Unit 8137, and Appropriations Unit INF002).
Dan Kern Richard C. Lang
Chief Security and Privacy Officer Acting Director of Information Technology
796-1449 796-1404
/ 2D~1
Date
Date
1 Lo
Attachment:
Agreement
cc: Charles J. McKee, County Counsel
Michael Miller, Auditor-Controller
BIB]
40689-U01
SIGNED-U02
BOARD-U02
REPORT-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102453-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e����28
Before the Board of Supervisors in and for the
County of Monterey, State of California
Agreement No. A-11986
a. Approve and authorize on behalf of the Information
Technology Department, the Monterey County
Contracts/Purchasing Officer to sign the Qualys, Inc. Guard
Tool Software Application End User Agreement, for
security vulnerability identification and remediation, in an
amount not to exceed $97,574 for the period of July 1, 2011
through June 30,2012; and
b. Accept Non-Standard County Liability and Indemnification
Provisions as recommended by the Director of Information
Technology
Upon motion of Supervisor Potter, seconded by Supervisor Salinas, and carried by those
members present, the Board hereby;
a. Approved and authorized, on behalf of the Information Technology
Department, the Monterey County Contracts/Purchasing Officer to sign the
Qualys, Inc. Guard Tool Software Application End User Agreement, used for
security vulnerability identification and remediation, in an amount not to
exceed $97,574 for the period of July 1, 2011 through June 30,2012; and
b. Accepted Non-Standard County Liability and Indemnification Provisions as
recommended by the Director of Information Technology.
PASSED AND ADOPTED on this 17th day of May, 2011, by the following vote, to wit:
AYES: Supervisors Armenta, Calcagno, Salinas, Parker, and Potter
NOES: None
ABSENT: None
I, Gail T. Borkowski, Clerk of the Board of Supervisors of the County of Monterey, State of California, hereby
certify that the foregoing is a true copy of an original order of said Board of Supervisors duly made and entered
in the minutes thereof of Minute Book 75 for the meeting on May 17, 2011.
Dated: May 17, 2011 Gail T. Borkowski, Clerk of the Board of Supervisors
County of Monterey, State of California
By
Deputy
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e����QUALYSGUARD� END-USER AGREEMENT
This QUALYSGUARD END-USER AGREEMENT this Agreement") is made as of this
day of 2011 the Effective Date"), by and between QUALYS, INC., a Delaware
corporation Qualys"), and County of Monterey, a political subdivision of the State of California
End-User"). This Agreement, including the information submitted to Qualys upon registration
for the Service Registration"), governs End-User's use of and access to the QualysGuard
service the Service"), whether such subscription is obtained directly from Qualys or from an
authorized Qualys Reseller Authorized Reseller").
1. Service Description. Upon End-User's completion of Registration and Qualys'
acceptance of End-User's Registration request, End-User will be entitled to use the Service in
accordance with the terms of this Agreement. The Service will permit End-User to scan the IP
addresses, web applications and/or domain names identified by End-User to Qualys for those
vulnerabilities contained within the Service's vulnerability database. Qualys will automatically
provide End-User with the results of such scans, including reports summarizing Qualys' findings
regarding the 1P addresses, website URLs in the case of Web Application Scanning Service
referred herein as Web Applications"), and/or domain names identified by End-User for
scanning the Reports"). End-User must notify Qualys or its Authorized Reseller, using the
Service interface, of any changes in the IP addresses, Web Applications, and/or domain names
submitted for scanning. End-User also must notify Qualys or its Authorized Reseller in writing if
End-User desires to increase the number of IP addresses, Web Applications, and/or domain
names to be tested under the Service. Pursuant to Section 8, any increase in the number of IP
addresses, Web Applications, and/or domain names covered by the Service may require the
payment of additional fees. If End-User allocates IP address to devices by the Dynamic Host
Configuration Protocol DHCP"), End-User may submit a range or ranges) of IP addresses for
scanning, provided that End-User will not be entitled to use the Service to scan a number of
devices greater than the number covered by End-User's subscription. Any such attempts to scan
a greater number of devices or Web Applications will result in an error message and a prompt to
upgrade to an appropriate subscription level.
2. User Name and Password. Upon Qualys' acceptance of End-User's Registration,
End-User will be registered and receive a user name and password for the Service. Qualys
generates End-User's password in encrypted form and only End-User has access to it. End-User
will be responsible for keeping End-User's user name and password confidential. End-User shall
notify Qualys or its Authorized Reseller immediately upon learning of any unauthorized use of
End-User's user name or password. Until such time as End-User notifies Qualys of any
unauthorized use of End-User's user name or password, End-User will be responsible for all
activities and charges incurred through the use of End-User's user name and password, and will
indemnify and hold harmless Qualys for any claims, liability, damages, losses and costs
including reasonable attorneys' fees) to the extent resulting from such use.
3. API. Upon Qualys' agreement, End-User may choose to have access to the Service
through Qualys' proprietary API the API") by paying to Qualys a non-refundable annual API
Maintenance Fee, if applicable, according to Qualys' pricing described in Section 8 below. If
End-User chooses the API option, during the period for which End-User has paid the applicable
API Maintenance Fee, Qualys will provide End-User with the API, through which End-User may
access and query the Service and receive raw data generated from scans of End-User's IP
addresses and/or Web Applications the Scan Data"). If the API option is selected, Qualys
Qualys Confidenfial 2009-06-01
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e����hereby grants End-User a nonexclusive, nontransferable, and revocable right to i) access and
process the Scan Data via the API for the purpose of generating Reports based on the Scan Data
and ii) use and reproduce such Reports solely for internal business purposes and solely for the
purpose of vulnerability assessment with regard to the relevant IP address and/or Web
Application.
4. Card Programs. Qualys will provide End-User, as part of the Service, a customized
version of the Reports containing information designed to meet the criteria of the Qualys-
supported payment card compliance program of the PCI Security Standards Council the Card
Program"). In certain circumstances, Qualys personnel may also provide individualized
assistance to End-User to facilitate a determination regarding End-User's compliance with Card
Program. Qualys provides the Service in connection with Card Program, including any
customized Reports and individualized assistance, solely as a tool to enable End-User to evaluate
its compliance with such Card Programs. End-User acknowledges and agrees that third party
payment card organizations, and not Qualys, establish the security criteria and other terms and
conditions of the Card Program Criteria").
5. Grant of Rights. Subject to End-User's payment of any applicable fees and End-User's
compliance with the terms and conditions of this Agreement, Qualys grants End-User a non-
exclusive, non-transferable right to access the Service's user interface and to reproduce solely for
End-User's own internal business purposes only such vulnerability test results as set forth in the
Reports.
6. Hardware. Qualys hardware products, including the QualysGuard Intranet Scanner
appliance delivered to End-User under this Agreement Hardware") are provided to End-User
under subscription on an annual basis, during the term of the relevant subscription. End-User
acknowledges that not all Service subscriptions include Hardware. a) Qualys will select the
carrier for delivery and bear the cost of shipment, insurance and duties for delivery of the
Hardware to the location designated by End-User in an accepted Purchase Order.
Notwithstanding the foregoing, Qualys will not be liable for damage or penalty for delay in
delivery. b) Subject to the Hardware warranty in Section 13(a), End-User assumes all risk of
loss and shall pay for all cost of repair, replacement, or refurbishment caused by accident, misuse,
abuse, neglect, or End-User's other failure to install, use and maintain the Hardware in
accordance with the applicable documentation and specifications. Subject to the terms and
conditions of this Agreement, Qualys and its suppliers grant End-User a limited, non-exclusive,
non-transferable, non-sublicenseable right to use the software embedded in the Hardware in
executable code form only, during the term of the relevant subscription, solely as necessary to
operate the Hardware in connection with the Service. c) Notwithstanding anything to the
contrary in this Agreement, Qualys will at all times retain title to the Hardware. End-User may
retain and use Hardware during any subscription renewal term, provided that End-User pays the
applicable subscription fee for such renewal term. Upon termination or expiration including
non-renewal) of this Agreement or End-User's subscription, End-User will return all Hardware
provided under this Agreement within fifteen 15) days of such expiration or termination, in
substantially the same condition in which it was delivered to End-User. End-User will pay all
return transportation and delivery costs.
7. Restrictions. The rights granted to End-User in this Agreement are subject to the
following restrictions, and End-User hereby covenants as follows: a) End-User may use the
Service and the Hardware only to scan IP addresses, Web Applications, and/or map domain
names owned by and registered to End-User, or for which End-User otherwise has the full right,
power, and authority to consent to have the Service scan and/or map. End-User may not rent,
Qualys Confidential 2009-06-01 2
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e����lease, or loan the Service, or any part thereof. Neither may End-User permit third parties to
benefit from the use or functionality of the Service via timesharing, service bureau arrangements
or otherwise. b) While there is no software transfer necessary from Qualys to End-User to
effectuate the Service, End-User agrees not to reverse engineer, decompile, or disassemble any
software that is embedded in or related to the Hardware or that provides the Service, or otherwise
attempt to derive the processes by which the Service is provided or the Reports are generated,
except to the extent the foregoing restriction is expressly prohibited by applicable law. c) End-
User may not use the Service or the Hardware except for the limited purpose of vulnerability
management with regard to the IP addresses and/or Web Applications for which End-User has
purchased a subscription package. d) End-User may not make any alteration, addition or
modification to the Hardware; open, disassemble or tamper with the Hardware in any fashion; or
transfer possession of the Hardware to any third party.
8. Payment. Upon the Effective Date, End-User shall make an initial purchase as set
forth in Exhibit A. End-User shall be obligated to pay Qualys or its Authorized Reseller, as
applicable, a) the fees attributable to the subscription package(s) purchased by the End-User
including subscriptions to Hardware); and b) the API Maintenance Fee if applicable. For End-
User's initial purchase, such fees will be according to Exhibit A. For subsequent purchases
including renewals), such fees will be according to Qualys' applicable list price, or at such other
price to which the End-User and the selling party may agree in writing. The applicable scanning
fees may change if End-User adds devices, IP addresses, Web Applications, and/or domain names
in the manner described in Section 1. Qualys and its Authorized Resellers reserve the right to
change the list price for Hardware, the Service or the API at any time; provided, however, that if
End-User has already paid for Hardware, Service or the API for a particular subscription term, the
price will not be changed during the term of such subscription. Payment from End-User will be
due and payable within thirty 30) days of the date of the applicable invoice or as otherwise
required by an Authorized Reseller. Payments by End-User that are past due will be subject to
interest at the rate of one and one-half percent 1'/z%) per month or the maximum allowed by
applicable law). Subject to any arrangement End-User has with an Authorized Reseller, should
Qualys so notify End-User at any time, any future payments under this Agreement shall be made
directly to Qualys or to such party as Qualys may specify in its notice to End-User. End-User will
be solely responsible for payment of any and all taxes and duties including value-added tax,
turnover tax, gross receipts tax, sales or use tax and customs duties) arising from or imposed on
any transactions conducted or products delivered hereunder, excluding taxes based on Qualys' or
its Authorized Reseller's net income. Without limiting the foregoing, if any amount payable by
End-User under this Agreement should be subjected to any deduction or withholding on account
of any tax or charge, End-User shall pay such additional amounts as may be required in order that
the net amount actually received, after deduction or withholding of all related taxes and charges,
shall be equal to the amount expressed to be payable pursuant to the terms of this Agreement.
9. Term; Termination by End-User. a) The initial term of this Agreement and of End-
User's subscription to the Service shall be for one 1) year or for such longer term as the parties
may agree in writing), commencing on the Subscription Start Date. b) End-User may terminate
this Agreement and receipt of the Service at any time upon thirty 30) days' advanced written
notice to Qualys for any reason. If End-User terminates the Agreement for convenience as set
forth above, End-User will not receive any refund or credit for any unused portion of a
subscription to the Service or any prepaid scanning fees. Upon termination or expiration
including non-renewal) of this Agreement or End-User's subscription, End-User must cease all
use of the Service, including any downloads of the Reports and, within fifteen 15) days of such
expiration or termination, return all Hardware provided under this Agreement in substantially the
Qualys Confidential 2009-06-01 3
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e����same condition in which it was delivered to End-User. Qualys may terminate this Agreement at
any time upon thirty 30) days' prior written notice if End-User fails to pay any amounts due
hereunder or breaches any other provision of this Agreement. Sections 7 and 9 through 18 will
survive any termination or expiration of this Agreement.
10. Ownership. As between the parties, all title, copyrights, trademarks, service marks,
patents, patent applications and all other intellectual proprietary rights now known or hereafter
recognized in any jurisdiction in and to the Service, API, Reports, and the design and function of
the Hardware--and in each case all software embedded therein or related thereto, all data and
information contained therein excluding individual factual data gathered from the End-User's IP
addresses)--(the Intellectual Property Rights") are owned by Qualys and/or its licensors, and
End-User agrees to make no claim of interest in or ownership of any such Intellectual Property
Rights. End-User further acknowledges that the structure, organization, and code of all software
embedded in or related to the Service and the Hardware are the valuable trade secrets of Qualys
and/or its licensors. End-User acknowledges that no title to the Intellectual Property Rights in the
Service or the Reports is transferred to End-User, and that End-User does not obtain any rights,
express or implied, in the Service or the Reports, including any information contained within the
Reports, other than the rights expressly granted in this Agreement.
11. Confidentiality. Each party agrees to keep in confidence any confidential or
proprietary information it receives from the other party hereunder Confidential Information'").
Neither party shall disclose Confidential Information of the other party to third parties nor use
such Confidential Information for any purpose other than as expressly set forth in this Agreement.
To be accorded treatment as Confidential Information under this Agreement, the disclosing party
must identify any such information as confidential or proprietary at the time of disclosure.
Notwithstanding the marking requirement, all data regarding End-User's IP addresses, domain
names, Web Applications, or network characteristics including data that Qualys obtains as a
result of its provision of the Service hereunder) will be deemed Confidential Information of the
End-User, and all data and information contained within the Service or the Reports excluding
End-User's Confidential Information) and all information concerning or materially relating to the
Hardware, will be"deemed Confidential Information of Qualys. Information that is already in the
public domain through no fault of the receiving party, or was already known to the receiving
party through no breach of a confidentiality obligation to the disclosing party, shall not be treated
as Confidential Information hereunder. End-User may not access, use or refer to any information
or data contained within the Service or the Reports except for the limited purpose of vulnerability
management with regard to the IP addresses or Web Applications for which End-User has
purchased a subscription package. Nothing in this Agreement shall prohibit Qualys from using
aggregated data of End-User in any format for any purpose, provided that such data cannot be
identified to or associated with End-User.
12. Identification of IP Addresses. a) Because of the sensitive nature of performing
security checks on IP addresses and/or Web Applications, End-User represents and warrants that
End-User has full right, power, and authority to consent to have the Service test for vulnerabilities
scan") the IP addresses, Web Applications, and/or domain names identified to Qualys for
scanning, whether electronically or by any other means, whether at the time of initial Registration
or thereafter. Without limiting any other remedy that Qualys may have, End-User agrees to
indemnify and hold Qualys and its Authorized Resellers harmless from and against any and all
liabilities, losses, damages, costs and expenses, including without limitation reasonable attorneys'
fees and costs, incurred by Qualys or such Authorized Reseller resulting from End-User's breach
of this Section 12(a). b) End-User also acknowledges and agrees that the scanning of such IP
addresses, Web Applications, and/or domain names may expose vulnerabilities and in some
Quatys Confidential 2009-06-01 4
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e����circumstances could result in the disruption of services at such site(s). Certain optional features of
the Service, including exploitive scans, involve substantial risk of Denial of Service DOS)
attacks, loss of service, hardware failure and loss or corruption of data. Consequently, End-User
agrees that it is End-User's responsibility to perform backups of all data contained in or available
through the devices connected to End-User's IP addresses, Web Applications, and/or domain
names prior to invoking the use of the Service.
13. Limited Warranty. a) Qualys warrants that, for the duration each particular
Hardware unit's subscription the Warranty Period"), such Hardware, when operated by End-
User in accordance with the applicable documentation and specifications, will function without
Error. For purposes of this Agreement, an Error" is a reproducible operational error that causes
the Hardware to operate at material variance from its then-current specifications. End-User's
exclusive remedy for breach of this warranty is to notify Qualys of the Error in writing during the
Warranty Period, whereupon Qualys, as its sole obligation and liability, will at its election, either:
i) repair or replace the Hardware such that it operates without Error; or ii) accept return of the
Hardware and refund to End-User a pro-rata portion of the subscription fee paid for such
Hardware. Any error correction provided to End-User will not extend the original Warranty
Period. This Section 13(a) sets forth End-User's sole and exclusive remedy and Qualys' entire
liability to End-User for any Error or other malfunction in the Hardware. b) EXCEPT AS
EXPRESSLY PROVIDED IN SECTION 13(a), AND TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, THE HARDWARE, SERVICE, REPORTS AND API
ARE PROVIDED AS IS," AND QUALYS EXPRESSLY DISCLAIMS ALL WARRANTIES
AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT
NOT LIMITED TO ALL IMPLIED OR STATUTORY WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUALITY,
ACCURACY AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. Without limitation to
the foregoing, Qualys makes no warranty that the Hardware, Service, Reports or API will be
error-free, complete, free from interruption or failure, or absolutely secure from unauthorized
access. Nor does Qualys guarantee that the Hardware or Service will detect every vulnerability to
End-User's network. Qualys does not warrant that the Service or the Reports meet the Criteria of
any Card Program; nor should End-User rely on a Pass" designation in a Report or the
statements of Qualys personnel regarding a Card Program as an indication that End-User's
network is secure. c) No person, dealer, or company may alter this disclaimer of warranties.
14. Indemnification. Qualys will defend, indemnify and hold harmless End-User from
and against any and all claims, losses, liabilities, damages and expenses including, without
limitation, reasonable attorneys' fees) arising from any claim brought against End-User by a third
party alleging that the Service, Hardware, API or Reports infringe or misappropriate a third
party's intellectual property or proprietary rights, provided that End User grants Qualys sole
control over defense or settlement of such claim and cooperates reasonably in the defense or
settlement of such claim. If End-User's use of the Service, Hardware, API or Reports is enjoined
as a result of such a claim of infringement, or if Qualys determines that it is likely to be so
enjoined, Qualys will, at its option, a) procure for End-User the right to continue using the item
in accordance with its rights under this Agreement, b) replace or modify the item with a
substantially equivalent non-infringing item; or c) terminate this Agreement and refund to End-
User a pro-rata portion of the amounts paid by End-User hereunder in connection with the
Agreement based on the unexpired portion of the Subscription at the time of such termination.
This Section 14 states Qualys' sole liability and End-User's sole and exclusive remedy for a
claim of infringement related to the Service, Hardware, API or Reports.
Qualys Confidential 2009-06-01 5
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e����15. Limitation of Liability. UNDER NO CIRCUMSTANCES AND UNDER NO
LEGAL THEORY, WHETHER IN TORT, CONTRACT OR OTHERWISE, SHALL QUALYS,
ITS SUCCESSORS OR ASSIGNS, OR ANY AUTHORIZED RESELLER, BE LIABLE TO
END-USER UNDER THIS AGREEMENT FOR ANY LOSS OF PROFITS, LOSS OR
CORRUPTION OF DATA, EQUIPMENT, WEB APPLICATION OR NETWORK
DOWNTIME, OR FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL OR
EXEMPLARY DAMAGES OF ANY KIND WHATSOEVER ARISING FROM OR RELATED
TO THIS AGREEMENT OR END-USER'S USE OR INABILITY TO USE THE HARDWARE,
SERVICE, REPORTS OR API, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL QUALYS' AND ITS
AUTHORIZED RESELLERS' TOTAL LIABILITY TO END-USER FOR ALL DAMAGES IN
ANY ONE OR MORE CAUSES OF ACTION, WHETHER IN CONTRACT, TORT OR
OTHERWISE, EXCEED THE AMOUNTS PAID BY END-USER FOR THE SERVICE
DURING THE TWELVE MONTHS PRECEDING THE ACCRUAL OF SUCH ACTION. The
foregoing provisions shall be enforceable to the maximum extent permitted by applicable law.
This Section shall survive the termination or expiration of this Agreement.
16. U.S. Government Rights. For purposes of this Agreement, commercial computer
software" means software developed or regularly used for nongovernmental purposes which i)
has been sold, leased, or licensed to the public, ii) has been offered for sale, lease or license to
the public; iii) has not been offered, sold, leased, or licensed to the public but will be available
for commercial sale, lease, or license in time to satisfy the delivery requirements of this
Agreement; or iv) satisfied a criterion expressed in i), ii), or iii) of this clause and would
require only minor modification to meet the requirements of this Agreement. If acquired by or on
behalf of a civilian agency, the U.S. Government acquires this commercial computer software
and/or commercial computer software documentation and other technical data subject to the terms
of this Agreement as specified in 48 C.F.R. 12.212 Computer Software) and 12.211 Technical
Data) of the Federal Acquisition Regulation FAR") and its successors. If acquired by or on
behalf of any agency within the Department of Defense DOD"), the U.S. Government acquires
this commercial computer software and/or commercial computer software documentation subject
to the terms of this Agreement as specified in 48 C.F.R. 227.7202-3 of the DOD FAR
Supplement DFARS") and its successors. This U.S. Government Rights clause is in lieu of, and
supersedes, any other FAR, DFARS, or other clause or provision that addresses Government
rights in computer software or technical data under this Agreement.
17. United States Export Restrictions. End-User may not download, export, or re-
export any software or technical data received hereunder, including software and technical data
embedded in the Hardware, regardless of the manner in which received, a) into, or to a national
or resident of, any country to which the United States has embargoed goods, or b) to anyone on
the United States Treasury Department's list of Specially Designated Nationals or the U.S.
Commerce Department's Table of Denial Orders. By using the Service, End-User is representing
and warranting that End-User is not located in, under the control of, or a national or resident of
any such country or on any such list.
18. General. This Agreement is governed by the laws of the United States and the State
of California, without reference to conflict of laws principles. The application of the United
Nations Convention of Contracts for the International Sale of Goods is expressly excluded. Any
dispute between End-User and Qualys regarding this Agreement will be subject to the exclusive
jurisdiction of the state and federal courts in the State of California. This Agreement is the entire
agreement between End-User and Qualys and supersedes any other communications or
advertising with respect to the Service and documentation, including any online agreement
Qualys Confidential 2009-06-01 6
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e����presented to End-User during Registration or any additional terms or conditions submitted by
End-User, whether part of a purchase order or otherwise. If any provision of this Agreement is
held invalid, the remainder of this Agreement will continue in full force and effect. No provision
of this Agreement shall be deemed waived or modified except in a writing signed by an
authorized representative of Qualys. End-User may not assign this Agreement except pursuant to
a merger, or sale of all or substantially all of End-User's assets without the prior written consent
of Qualys. All notices or approvals under this Agreement shall be directed to the billing addresses
as set forth below or as may be revised in writing from time to time. The parties to this
Agreement are independent contractors. Neither party is an agent, representative, joint venturer,
or partner of the other party. Neither party shall have any right, power or authority to enter into
any agreement for or on behalf of, or incur any obligation or liability of, or to otherwise bind the
other party. Each party shall bear its own costs and expenses in performing this Agreement.
IN WITNESS WHEREOF, the parties by their duly authorized representatives agree to and
accept all terms herein, effective as of the date first written above.
QUALYS END-USER
1600 Bridge Parkway, Suite 201 Billing address:
Redwood Shores, CA 94065 USA
Shipping Address: same as billing
By:
Name Print):
Title:
Quays Confidential 2009-06-01 7
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e ��� NOTEXTPAGE
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e
���QUALYSGUARD� END-USER AGREEMENT
This QUALYSGUARD END-USER AGREEMENT this Agreement") is made as of this day of 2011 the Effective Date"), by and between QUALMS, INC., a Delaware
corporation Q.ualys"), and County of Monterey, a political subdivision of the State of California
End-User"). This Agreement, including the information submitted to Qualys upon registration
for the Service Registration"), governs End-User's use of and access to the QualysGuard
service the Service"), whether such subscription is obtained directly from Qualys or from an
authorized Qualys Reseller Authorized Reseller").
1. Service Description. Upon End-User's completion of Registration and Qualys'
acceptance of End-User's Registration request, End-User will be entitled to use the Service in
accordance with the terms of this Agreement. The Service will permit End-User to scan the IP
addresses, web applications and/or domain names identified by End-User to Qualys for those
vulnerabilities contained within the Service's vulnerability database. Qualys will automatically
provide End-User with the results of such scans, including reports summarizing Qualys' findings
regarding the IP addresses, website URLs in the case of Web Application Scanning Service
referred herein as Web Applications"), and/or domain names identified by End-User for
scanning the Reports"). End-User must notify Qualys or its Authorized Reseller, using the
Service interface, of any changes in the IP addresses, Web Applications, and/or domain names
submitted for scanning. End-User also must notify Qualys or its Authorized Reseller in writing if
End-User desires to increase the number of IP addresses, Web Applications, and/or domain
names to be tested under the Service. Pursuant to Section 8, any increase in the number of IP
addresses, Web Applications, and/or domain names covered by the Service may require the
payment of additional fees. If End-User allocates IP address to devices by the Dynamic Host
Configuration Protocol DHCP"), End-User may submit a range or ranges) of IP addresses for
scanning, provided that End-User will not be entitled to use the Service to scan a number of
devices greater than the number covered by End-User's subscription. Any such attempts to scan
a greater number of devices or Web Applications will result in an error message and a prompt to
upgrade to an appropriate subscription level.
2. User Name and Password. Upon Qualys' acceptance of End-User's Registration,
End-User will be registered and receive a user name and password for the Service. Qualys
generates End-User's password in encrypted form and only End-User has access to it. End-User
will be responsible for keeping End-User's user name and password confidential. End-User shall
notify Qualys or its Authorized Reseller immediately upon learning of any unauthorized use of
End-User's user name or password. Until such time as End-User notifies Qualys of any
unauthorized use of End-User's user name or password, End-User will be responsible for all
activities and charges incurred through the use of End-User's user name and password, and will
indemnify and hold harmless Qualys for any claims, liability, damages, losses and costs
including reasonable attorneys' fees) to the extent resulting from such use.
3. API. Upon Qualys' agreement, End-User may choose to have access to the Service
through Qualys' proprietary API the API") by paying to Qualys a non-refundable annual API
Maintenance Fee, if applicable, according to Qualys' pricing described in Section 8 below. If
End-User chooses the API option, during the period for which End-User has paid the applicable
API Maintenance Fee, Qualys will provide End-User with the API, through which End-User may
access and query the Service and receive raw data generated from scans of End-User's IP
addresses and/or Web Applications the Scan Data"). If the API option is selected, Qualys
Qualys Confidential 2009-06-01
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e
���hereby grants End-User a nonexclusive, nontransferable, and revocable right to i) access and
process the Scan Data via the API for the purpose of generating Reports based on the Scan Data
and ii) use and reproduce such Reports solely for internal business purposes and solely for the
purpose of vulnerability assessment with regard to the relevant IP address and/or Web
Application.
4. Card Programs. Qualys will provide End-User, as part of the Service, a customized
version of the Reports containing information designed to meet the criteria of the Qualys-
supported payment card compliance program of the PCI Security Standards Council the Card
Program"). In certain circumstances, Qualys personnel may also provide individualized
assistance to End-User to facilitate a determination regarding End-User's compliance with Card
Program. Qualys provides the Service in connection with Card Program, including any
customized Reports and individualized assistance, solely as a tool to enable End-User to evaluate
its compliance with such Card Programs. End-User acknowledges and agrees that third party
payment card organizations, and not Qualys, establish the security criteria and other terms and
conditions of the Card Program Criteria").
5. Grant of Rights. Subject to End-User's payment of any applicable fees and End-User's
compliance with the terms and conditions of this Agreement, Qualys grants End-User a non-
exclusive, non-transferable right to access the Service's user interface and to reproduce solely for
End-User's own internal business purposes only such vulnerability test results as set forth in the
Reports.
6. Hardware. Qualys hardware products, including the QualysGuard Intranet Scanner
appliance delivered to End-User under this Agreement Hardware") are provided to End-User
under subscription on an annual basis, during the term of the relevant subscription. End-User
acknowledges that not all Service subscriptions include Hardware. a) Qualys will select the
carrier for delivery and bear the cost of shipment, insurance and duties for delivery of the
Hardware to the location designated by End-User in an accepted Purchase Order.
Notwithstanding the foregoing, Qualys will not be liable for damage or penalty for delay in
delivery. b) Subject to the Hardware warranty in Section 13(a), End-User assumes all risk of
loss and shall pay for all cost of repair, replacement, or refurbishment caused by accident, misuse,
abuse, neglect, or End-User's other failure to install, use and maintain the Hardware in
accordance with the applicable documentation and specifications. Subject to the terms and
conditions of this Agreement, Qualys and its suppliers grant End-User a limited, non-exclusive,
non-transferable, non-sublicenseable right to use the software embedded in the Hardware in
executable code form only, during the term of the relevant subscription, solely as necessary to
operate the Hardware in connection with the Service. c) Notwithstanding anything to the
contrary in this Agreement, Qualys will at all times retain title to the Hardware. End-User may
retain and use Hardware during any subscription renewal term, provided that End-User pays the
applicable subscription fee for such renewal term. Upon termination or expiration including
non-renewal) of this Agreement or End-User's subscription, End-User will return all Hardware
provided under this Agreement within fifteen 15) days of such expiration or termination, in
substantially the same condition in which it was delivered to End-User. End-User will pay all
return transportation and delivery costs.
7. Restrictions. The rights granted to End-User in this Agreement are subject to the
following restrictions, and End-User hereby covenants as follows: a) End-User may use the
Service and the Hardware only to scan IP addresses, Web Applications, and/or map domain
names owned by and registered to End-User, or for which End-User otherwise has the full right,
power, and authority to consent to have the Service scan and/or map. End-User may not rent,
Qualys Confidential 2009-06-01 2
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e
���lease, or loan the Service, or any part thereof. Neither may End-User permit third parties to
benefit from the use or functionality of the Service via timesharing, service bureau arrangements
or otherwise. b) While there is no software transfer necessary from Qualys to End-User to
effectuate the Service, End-User agrees not to reverse engineer, decompile, or disassemble any
software that is embedded in or related to the Hardware or that provides the Service, or otherwise
attempt to derive the processes by which the Service is provided or the Reports are generated,
except to the extent the foregoing restriction is expressly prohibited by applicable law. c) End-
User may not use the Service or the Hardware except for the limited purpose of vulnerability
management with regard to the IP addresses and/or Web Applications for which End-User has
purchased a subscription package. d) End-User may not make any alteration, addition or
modification to the Hardware; open, disassemble or tamper with the Hardware in any fashion; or
transfer possession of the Hardware to any third party.
8. Payment. Upon the Effective Date, End-User shall make an initial purchase as set
forth in Exhibit A. End-User shall be obligated to pay Qualys or its Authorized Reseller, as
applicable, a) the fees attributable to the subscription package(s) purchased by the End-User
including subscriptions to Hardware); and b) the API Maintenance Fee if applicable. For End-
User's initial purchase, such fees will be according to Exhibit A. For subsequent purchases
including renewals), such fees will be according to Qualys' applicable list price, or at such other
price to which the End-User and the selling party may agree in writing. The applicable scanning
fees may change if End-User adds devices, IP addresses, Web Applications, and/or domain names
in the manner described in Section 1. Qualys and its Authorized Resellers reserve the right to
change the list price for Hardware, the Service or the API at any time; provided, however, that if
End-User has already paid for Hardware, Service or the API for a particular subscription term, the
price will not be changed during the term of such subscription. Payment from End-User will be
due and payable within thirty 30) days of the date of the applicable invoice or as otherwise
required by an Authorized Reseller. Payments by End-User that are past due will be subject to
interest at the rate of one and one-half percent 1'/2%) per month or the maximum allowed by
applicable law). Subject to any arrangement End-User has with an Authorized Reseller, should
Qualys so notify End-User at any time, any future payments under this Agreement shall be made
directly to Qualys or to such party as Qualys may specify in its notice to End-User. End-User will
be solely responsible for payment of any and all taxes and duties including value-added tax,
turnover tax, gross receipts tax, sales or use tax and customs duties) arising from or imposed on
any transactions conducted or products delivered hereunder, excluding taxes based on Qualys' or
its Authorized Reseller's net income. Without limiting the foregoing, if any amount payable by
End-User under this Agreement should be subjected to any deduction or withholding on account
of any tax or charge, End-User shall pay such additional amounts as may be required in order that
the net amount actually received, after deduction or withholding of all related taxes and charges,
shall be equal to the amount expressed to be payable pursuant to the terms of this Agreement.
9. Term; Termination by End-User. a) The initial term of this Agreement and of End-
User's,subscription to the Service shall be for one 1) year or for such longer term as the parties
may agree in writing), commencing on the Subscription Start Date. b) End-User may terminate
this Agreement and receipt of the Service at any time upon thirty 30) days' advanced written
notice to Qualys for any reason. If End-User terminates the Agreement for convenience as set
forth above, End-User will not receive any refund or credit for any unused portion of a
subscription to the Service or any prepaid scanning fees. Upon termination or expiration
including non-renewal) of this Agreement or End-User's subscription, End-User must cease all
use of the Service, including any downloads of the Reports and, within fifteen 15) days of such
expiration or termination, return all Hardware provided under this Agreement in substantially the
Qualys Confidential 2009-06-01 3
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e
���same condition in which it was delivered to End-User. Qualys may terminate this Agreement at
any time upon thirty 30) days' prior written notice if End-User fails to pay any amounts due
hereunder or breaches any other provision of this Agreement. Sections 7 and 9 through 18 will
survive any termination or expiration of this Agreement.
10. Ownership. As between the parties, all title, copyrights, trademarks, service marks,
patents, patent applications and all other intellectual proprietary rights now known or hereafter
recognized in any jurisdiction in and to the Service, API, Reports, and the design and function of
the Hardware--and in each case all software embedded therein or related thereto, all data and
information contained therein excluding individual factual data gathered from the End-User's IP
addresses)--(the Intellectual Property Rights") are owned by Qualys and/or its licensors, and
End-User agrees to make no claim of interest in or ownership of any such Intellectual Property
Rights. End-User further acknowledges that the structure, organization, and code of all software
embedded in or related to the Service and the Hardware are the valuable trade secrets of Qualys
and/or its licensors. End-User acknowledges that no title to the Intellectual Property Rights in the
Service or the Reports is transferred to End-User, and that End-User does not obtain any rights,
express or implied, in the Service or the Reports, including any information contained within the
Reports, other than the rights expressly granted in this Agreement.
11. Confidentiality. Each party agrees to keep in confidence any confidential or
proprietary information it receives from the other party hereunder Confidential Information").
Neither party shall disclose Confidential Information of the other party to third parties nor use
such Confidential Information for any purpose other than as expressly set forth in this Agreement.
To be accorded treatment as Confidential Information under this Agreement, the disclosing party
must identify any such information as confidential or proprietary at the time of disclosure.
Notwithstanding the marking requirement, all data regarding End-User's IP addresses, domain
names, Web Applications, or network characteristics including data that Qualys obtains as a
result of its provision of the Service hereunder) will be deemed Confidential Information of the
End-User, and all data and information contained within the Service or the Reports excluding
End-User's Confidential Information) and all information concerning or materially relating to the
Hardware, will be'deemed Confidential Information of Qualys. Information that is already in the
public domain through no fault of the receiving party, or was already known to the receiving
party through no breach of a confidentiality obligation to the disclosing party, shall not be treated
as Confidential Information hereunder. End-User may not access, use or refer to any information
or data contained within the Service or the Reports except for the limited purpose of vulnerability
management with regard to the IP addresses or Web Applications for which End-User has
purchased a subscription package. Nothing in this Agreement shall prohibit Qualys from using
aggregated data of End-User in any format for any purpose, provided that such data cannot be
identified to or associated with End-User.
12. Identification of IP Addresses. a) Because of the sensitive nature of performing
security checks on IP addresses and/or Web Applications, End-User represents and warrants that
End-User has full right, power, and authority to consent to have the Service test for vulnerabilities
scan") the IP addresses, Web Applications, and/or domain names identified to Qualys for
scanning, whether electronically or by any other means, whether at the time of initial Registration
or thereafter. Without limiting any other remedy that Qualys may have, End-User agrees to
indemnify and hold Qualys and its Authorized Resellers harmless from and against any and all
liabilities, losses, damages, costs and expenses, including without limitation reasonable attorneys'
fees and costs, incurred by Qualys or such Authorized Reseller resulting from End-User's breach
of this Section 12(a). b) End-User also acknowledges and agrees that the scanning of such IP
addresses, Web Applications, and/or domain names may expose vulnerabilities and in some
Qualys Confidential 2009-06-01 4
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e����circumstances could result in the disruption of services at such site(s). Certain optional features of
the Service, including exploitive scans, involve substantial risk of Denial of Service DOS)
attacks, loss of service, hardware failure and loss or corruption of data. Consequently, End-User
agrees that it is End-User's responsibility to perform backups of all data contained in or available
through the devices connected to End-User's IP addresses, Web Applications, and/or domain
names prior to invoking the use of the Service.
13. Limited Warranty. a) Qualys warrants that, for the duration each particular
Hardware unit's subscription the Warranty Period"), such Hardware, when operated by End-
User in accordance with the applicable documentation and specifications, will function without
Error. For purposes of this Agreement, an Error" is a reproducible operational error that causes
the Hardware to operate at material variance from its then-current specifications. End-User's
exclusive remedy for breach of this warranty is to notify Qualys of the Error in writing during the
Warranty Period, whereupon Qualys, as its sole obligation and liability, will at its election, either:
i) repair or replace the Hardware such that it operates without Error; or ii) accept return of the
Hardware and refund to End-User a pro-rata portion of the subscription fee paid for such
Hardware. Any error correction provided to End-User will not extend the original Warranty
Period. This Section 13(a) sets forth End-User's sole and exclusive remedy and Qualys' entire
liability to End-User for any Error or other malfunction in the Hardware. b) EXCEPT AS
EXPRESSLY PROVIDED IN SECTION 13(a), AND TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, THE HARDWARE, SERVICE, REPORTS AND API
ARE PROVIDED AS IS," AND QUALYS EXPRESSLY DISCLAIMS ALL WARRANTIES
AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT
NOT LIMITED TO ALL IMPLIED OR STATUTORY WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUALITY,
ACCURACY AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. Without limitation to
the foregoing, Qualys makes no warranty that the Hardware, Service, Reports or API will be
error-free, complete, free from interruption or failure, or absolutely secure from unauthorized
access. Nor does Qualys guarantee that the Hardware or Service will detect every vulnerability to
End-User's network. Qualys does not warrant that the Service or the Reports meet the Criteria of
any Card Program; nor should End-User rely on a Pass" designation in a Report or the
statements of Qualys personnel regarding a Card Program as an indication that End-User's
network is secure. c) No person, dealer, or company may alter this disclaimer of warranties.
14. Indemnification. Qualys will defend, indemnify and hold harmless End-User from
and against any and all claims, losses, liabilities, damages and expenses including, without
limitation, reasonable attorneys' fees) arising from any claim brought against End-User by a third
party alleging that the Service, Hardware, API or Reports infringe or misappropriate a third
party's intellectual property or proprietary rights, provided that End User grants Qualys sole
control over defense or settlement of such claim and cooperates reasonably in the defense or
settlement of such claim. If End-User's use of the Service, Hardware, API or Reports is enjoined
as a result of such a claim of infringement, or if Qualys determines that it is likely to be so
enjoined, Qualys will, at its option, a) procure for End-User the right to continue using the item
in accordance with its rights under this Agreement, b) replace or modify the item with a
substantially equivalent non-infringing item; or c) terminate this Agreement and refund to End-
User a pro-rata portion of the amounts paid by End-User hereunder in connection with the
Agreement based on the unexpired portion of the Subscription at the time of such termination.
This Section 14 states Qualys' sole liability and End-User's sole and exclusive remedy for a
claim of infringement related to the Service, Hardware, API or Reports.
Qualys Confidential 2009-06-01 5
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e����15. Limitation of Liability. UNDER NO CIRCUMSTANCES AND UNDER NO
LEGAL THEORY, WHETHER IN TORT, CONTRACT OR OTHERWISE, SHALL QUALYS,
ITS SUCCESSORS OR ASSIGNS, OR ANY AUTHORIZED RESELLER, BE LIABLE TO
END-USER UNDER THIS AGREEMENT FOR ANY LOSS OF PROFITS, LOSS OR
CORRUPTION OF DATA, EQUIPMENT, WEB APPLICATION OR NETWORK
DOWNTIME, OR FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL OR
EXEMPLARY DAMAGES OF ANY KIND WHATSOEVER ARISING FROM OR RELATED
TO THIS AGREEMENT OR END-USER'S USE OR INABILITY TO USE THE HARDWARE,
SERVICE, REPORTS OR API, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL QUALYS' AND ITS
AUTHORIZED RESELLERS' TOTAL LIABILITY TO END-USER FOR ALL DAMAGES IN
ANY ONE OR MORE CAUSES OF ACTION, WHETHER IN CONTRACT, TORT OR
OTHERWISE, EXCEED THE AMOUNTS PAID BY END-USER FOR THE SERVICE
DURING THE TWELVE MONTHS PRECEDING THE ACCRUAL OF SUCH ACTION. The
foregoing provisions shall be enforceable to the maximum extent permitted by applicable law.
This Section shall survive the termination or expiration of this Agreement.
16. U.S. Government Rights. For purposes of this Agreement, commercial computer
software" means software developed or regularly used for nongovernmental purposes which i)
has been sold, leased, or licensed to the public, ii) has been offered for sale, lease or license to
the public; iii) has not been offered, sold, leased, or licensed to the public but will be available
for commercial sale, lease, or license in time to satisfy the delivery requirements of this
Agreement; or iv) satisfied a criterion expressed in i), ii), or iii) of this clause and would
require only minor modification to meet the requirements of this Agreement. If acquired by or on
behalf of a civilian agency, the U.S. Government acquires this commercial computer software
and/or commercial computer software documentation and other technical data subject to the terms
of this Agreement as specified in 48 C.F.R. 12.212 Computer Software) and 12.211 Technical
Data) of the Federal Acquisition Regulation FAR") and its successors. If acquired by or on
behalf of any agency within the Department of Defense DOD"), the U.S. Government acquires
this commercial computer software and/or commercial computer software documentation subject
to the terms of this Agreement as specified in 48 C.F.R. 227.7202-3 of the DOD FAR
Supplement DFARS") and its successors. This U.S. Government Rights clause is in lieu of, and
supersedes, any other FAR, DFARS, or other clause or provision that addresses Government
rights in computer software or technical data under this Agreement.
17. United States Export Restrictions. End-User may not download, export, or re-
export any software or technical data received hereunder, including software and technical data
embedded in the Hardware, regardless of the manner in which received, a) into, or to a national
or resident of, any country to which the United States has embargoed goods, or b) to anyone on
the United States Treasury Department's list of Specially Designated Nationals or the U.S.
Commerce Department's Table of Denial Orders. By using the Service, End-User is representing
and warranting that End-User is not located in, under the control of, or a national or resident of
any such country or on any such list.
18. General. This Agreement is governed by the laws of the United States and the State
of California, without reference to conflict of laws principles. The application of the United
Nations Convention of Contracts for the International Sale of Goods is expressly excluded. Any
dispute between End-User and Qualys regarding this Agreement will be subject to the exclusive
jurisdiction of the state and federal courts in the State of California. This Agreement is the entire
agreement between End-User and Qualys and supersedes any other communications or
advertising with respect to the Service and documentation, including any online agreement
Qualys Confidential 2009-06-01 6
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
COMPLETED BOARD ORDER�"��|E���e����presented to End-User during Registration or any additional terms or conditions submitted by
End-User, whether part of a purchase order or otherwise. If any provision of this Agreement is
held invalid, the remainder of this Agreement will continue in full force and effect. No provision
of this Agreement shall be deemed waived or modified except in a writing signed by an
authorized representative of Qualys. End-User may not assign this Agreement except pursuant to
a merger, or sale of all or substantially all of End-User's assets without the prior written consent
of Qualys. All notices or approvals under this Agreement shall be directed to the billing addresses
as set forth below or as may be revised in writing from time to time. The parties to this
Agreement are independent contractors. Neither party is an agent, representative, joint venturer,
or partner of the other party. Neither party shall have any right, power or authority to enter into
any agreement for or on behalf of, or incur any obligation or liability of, or to otherwise bind the
other party. Each party shall bear its own costs and expenses in performing this Agreement.
IN WITNESS WHEREOF, the parties by their duly authorized representatives agree to and
accept all terms herein, effective as of the date first written above.
QUALYS END-USER
1600 Bridge Parkway, Suite 201 Billing address:
Redwood Shores, CA 94065 USA
Shipping Address: u same as billing
By:~~a'r By:
Name Print): kN. u Name Print):
Title: C lp Title:
Qualys Confidential 2009-06-01 7
BIB]
40723-U01
COMPLETED-U02
BOARD-U02
ORDER-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102454-U03
C1-U03
GENERAL-U03
DOCUMENTS-U03
5/25/2011-U04
BORENM-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
FULLY EXECUTED AGREEMENT QUAL���I����QUALYSGUARD� END-USER AGREEMENT
This QUALYSGUARD END-USER AGREEMENT this Agreement") is made as of this
day of 2011 the Effective Date"), by and between QUALYS, INC., a Delaware
corporation Qualys"), and County of Monterey, a political subdivision of the State of California
End-User"). This Agreement, including the information submitted to Qualys upon registration
for the Service Registration"), governs End-User's use of and access to the QualysGuard
service the Service"), whether such subscription is obtained directly from Qualys or from an
authorized Qualys Reseller Authorized Reseller").
1. Service Description. Upon End-User's completion of Registration and Qualys'
acceptance of End-User's Registration request, End-User will be entitled to use the Service in
accordance with the terms of this Agreement. The Service will permit End-User to scan the IP
addresses, web applications and/or domain names identified by End-User to Qualys for those
vulnerabilities contained within the Service's vulnerability database. Qualys will automatically
provide End-User with the results of such scans, including reports summarizing Qualys' findings
regarding the IP addresses, website URLs in the case of Web Application Scanning Service
referred herein as Web Applications"), and/or domain names identified by End-User for
scanning the Reports"). End-User must notify Qualys or its Authorized Reseller, using the
Service interface, of any changes in the IP addresses, Web Applications, and/or domain names
submitted for scanning. End-User also must notify Qualys or its Authorized Reseller in writing if
End-User desires to increase the number of IP addresses, Web Applications, and/or domain
names to be tested under the Service. Pursuant to Section 8, any increase in the number of IP
addresses, Web Applications, and/or domain names covered by the Service may require the
payment of additional fees. If End-User allocates IP address to devices by the Dynamic Host
Configuration Protocol DHCP"), End-User may submit a range or ranges) of IP addresses for
scanning, provided that End-User will not be entitled to use the Service to scan a number of
devices greater than the number covered by End-User's subscription. Any such attempts to scan
a greater number of devices or Web Applications will result in an error message and a prompt to
upgrade to an appropriate subscription level.
2. User Name and Password. Upon Qualys' acceptance of End-User's Registration,
End-User will be registered and receive a user name and password for the Service. Qualys
generates End-User's password in encrypted form and only End-User has access to it. End-User
will be responsible for keeping End-User's user name and password confidential. End-User shall
notify Qualys or its Authorized Reseller immediately upon learning of any unauthorized use of
End-User's user name or password. Until such time as End-User notifies Qualys of any
unauthorized use of End-User's user name or password, End-User will be responsible for all
activities and charges incurred through the use of End-User's user name and password, and will
indemnify and hold harmless Qualys for any claims, liability, damages, losses and costs
including reasonable attorneys' fees) to the extent resulting from such use.
3. API. Upon Qualys' agreement, End-User may choose to have access to the Service
through Qualys' proprietary API the API") by paying to Qualys a non-refundable annual API
Maintenance Fee, if applicable, according to Qualys' pricing described in Section 8 below. If
End-User chooses the API option, during the period for which End-User has paid the applicable
API Maintenance Fee, Qualys will provide End-User with the API, through which End-User may
access and query the Service and receive raw data generated from scans of End-User's IP
addresses and/or Web Applications the Scan Data"). If the API option is selected, Qualys
Qualys Confidential 2009-06-01
BIB]
40696-U01
FULLY-U02
EXECUTED-U02
AGREEMENT-U02
QUALYSGUARD-U02
A-11986-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102664-U03
C5-U03
AGREEMENTS-U03
6/1/2011-U04
BOYDA-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
FULLY EXECUTED AGREEMENT QUAL���I����hereby grants End-User a nonexclusive, nontransferable, and revocable right to i) access and
process the Scan Data via the API for the purpose of generating Reports based on the Scan Data
and ii) use and reproduce such Reports solely for internal business purposes and solely for the
purpose of vulnerability assessment with regard to the relevant IP address and/or Web
Application.
4. Card Programs. Qualys will provide End-User, as part of the Service, a customized
version of the Reports containing information designed to meet the criteria of the Qualys-
supported payment card compliance program of the PCI Security Standards Council the Card
Program"). In certain circumstances, Qualys personnel may also provide individualized
assistance to End-User to facilitate a determination regarding End-User's compliance with Card
Program. Qualys provides the Service in connection with Card Program, including any
customized Reports and individualized assistance, solely as a tool to enable End-User to evaluate
its compliance with such Card Programs. End-User acknowledges and agrees that third party
payment card organizations, and not Qualys, establish the security criteria and other terms and
conditions of the Card Program Criteria").
5. Grant of Rights. Subject to End-User's payment of any applicable fees and End-User's
compliance with the terms and conditions of this Agreement, Qualys grants End-User a non-
exclusive, non-transferable right to access the Service's user interface and to reproduce solely for
End-User's own internal business purposes only such vulnerability test results as set forth in the
Reports.
6. Hardware. Qualys hardware products, including the QualysGuard Intranet Scanner
appliance delivered to End-User under this Agreement Hardware") are provided to End-User
under subscription on an annual basis, during the term of the relevant subscription. End-User
acknowledges that not all Service subscriptions include Hardware. a) Qualys will select the
carrier for delivery and bear the cost of shipment, insurance and duties for delivery of the
Hardware to the location designated by End-User in an accepted Purchase Order.
Notwithstanding the foregoing, Qualys will not be liable for damage or penalty for delay in
delivery. b) Subject to the Hardware warranty in Section 13(a), End-User assumes all risk of
loss and shall pay for all cost of repair, replacement, or refurbishment caused by accident, misuse,
abuse, neglect, or End-User's other failure to install, use and maintain the Hardware in
accordance with the applicable documentation and specifications. Subject to the terms and
conditions of this Agreement, Qualys and its suppliers grant End-User a limited, non-exclusive,
non-transferable, non-sublicenseable right to use the software embedded in the Hardware in
executable code form only, during the term of the relevant subscription, solely as necessary to
operate the Hardware in connection with the Service. c) Notwithstanding anything to the
contrary in this Agreement, Qualys will at all times retain title to the Hardware. End-User may
retain and use Hardware during any subscription renewal term, provided that End-User pays the
applicable subscription fee for such renewal term. Upon termination or expiration including
non-renewal) of this Agreement or End-User's subscription, End-User will return all Hardware
provided under this Agreement within fifteen 15) days of such expiration or termination, in
substantially the same condition in which it was delivered to End-User. End-User will pay all
return transportation and delivery costs.
7. Restrictions. The rights granted to End-User in this Agreement are subject to the
following restrictions, and End-User hereby covenants as follows: a) End-User may use the
Service and the Hardware only to scan IP addresses, Web Applications, and/or map domain
names owned by and registered to End-User, or for which End-User otherwise has the full right,
power, and authority to consent to have the Service scan and/or map. End-User may not rent,
Qualys Confidential 2009-06-01 2
BIB]
40696-U01
FULLY-U02
EXECUTED-U02
AGREEMENT-U02
QUALYSGUARD-U02
A-11986-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102664-U03
C5-U03
AGREEMENTS-U03
6/1/2011-U04
BOYDA-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
FULLY EXECUTED AGREEMENT QUAL���I����lease, or loan the Service, or any part thereof. Neither may End-User permit third parties to
benefit from the use or functionality of the Service via timesharing, service bureau arrangements
or otherwise. b) While there is no software transfer necessary from Qualys to End-User to
effectuate the Service, End-User agrees not to reverse engineer, decompile, or disassemble any
software that is embedded in or related to the Hardware or that provides the Service, or otherwise
attempt to derive the processes by which the Service is provided or the Reports are generated,
except to the extent the foregoing restriction is expressly prohibited by applicable law. c) End-
User may not use the Service or the Hardware except for the limited purpose of vulnerability
management with regard to the IP addresses and/or Web Applications for which End-User has
purchased a subscription package. d) End-User may not make any alteration, addition or
modification to the Hardware; open, disassemble or tamper with the Hardware in any fashion; or
transfer possession of the Hardware to any third party.
8. Payment. Upon the Effective Date, End-User shall make an initial purchase as set
forth in Exhibit A. End-User shall be obligated to pay Qualys or its Authorized Reseller, as
applicable, a) the fees attributable to the subscription package(s) purchased by the End-User
including subscriptions to Hardware); and b) the API Maintenance Fee if applicable. For End-
User's initial purchase, such fees will be according to Exhibit A. For subsequent purchases
including renewals), such fees will be according to Qualys' applicable list price, or at such other
price to which the End-User and the selling party may agree in writing. The applicable scanning
fees may change if End-User adds devices, IP addresses, Web Applications, and/or domain names
in the manner described in Section 1. Qualys and its Authorized Resellers reserve the right to
change the list price for Hardware, the Service or the API at any time; provided, however, that if
End-User has already paid for Hardware, Service or the API for a particular subscription term, the
price will not be changed during the term of such subscription. Payment from End-User will be
due and payable within thirty 30) days of the date of the applicable invoice or as otherwise
required by an Authorized Reseller. Payments by End-User that are past due will be subject to
interest at the rate of one and one-half percent 1'/2%) per month or the maximum allowed by
applicable law). Subject to any arrangement End-User has with an Authorized Reseller, should
Qualys so notify End-User at any time, any future payments under this Agreement shall be made
directly to Qualys or to such party as Qualys may specify in its notice to End-User. End-User will
be solely responsible for payment of any and all taxes and duties including value-added tax,
turnover tax, gross receipts tax, sales or use tax and customs duties) arising from or imposed on
any transactions conducted or products delivered hereunder, excluding taxes based on Qualys' or
its Authorized Reseller's net income. Without limiting the foregoing, if any amount payable by
End-User under this Agreement should be subjected to any deduction or withholding on account
of any tax or charge, End-User shall pay such additional amounts as may be required in order that
the net amount actually received, after deduction or withholding of all related taxes and charges,
shall be equal to the amount expressed to be payable pursuant to the terms of this Agreement.
9. Term; Termination by End-User. a) The initial term of this Agreement and of End-
User's subscription to the Service shall be for one 1) year or for such longer term as the parties
may agree in writing), commencing on the Subscription Start Date. b) End-User may terminate
this Agreement and receipt of the Service at any time upon thirty 30) days' advanced written
notice to Qualys for any reason. If End-User terminates the Agreement for convenience as set
forth above, End-User will not receive any refund or credit for any unused portion of a
subscription to the Service or any prepaid scanning fees. Upon termination or expiration
including non-renewal) of this Agreement or End-User's subscription, End-User must cease all
use of the Service, including any downloads of the Reports and, within fifteen 15) days of such
expiration or termination, return all Hardware provided under this Agreement in substantially the
Qualys Confidential 2009-06-01 3
BIB]
40696-U01
FULLY-U02
EXECUTED-U02
AGREEMENT-U02
QUALYSGUARD-U02
A-11986-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102664-U03
C5-U03
AGREEMENTS-U03
6/1/2011-U04
BOYDA-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
FULLY EXECUTED AGREEMENT QUAL���I����same condition in which it was delivered to End-User. Qualys may terminate this Agreement at
any time upon thirty 30) days' prior written notice if End-User fails to pay any amounts due
hereunder or breaches any other provision of this Agreement. Sections 7 and 9 through 18 will
survive any termination or expiration of this Agreement.
10. Ownership. As between the parties, all title, copyrights, trademarks, service marks,
patents, patent applications and all other intellectual proprietary rights now known or hereafter
recognized in any jurisdiction in and to the Service, API, Reports, and the design and function of
the Hardware--and in each case all software embedded therein or related thereto, all data and
information contained therein excluding individual factual data gathered from the End-User's IP
addresses)--(the Intellectual Property Rights") are owned by Qualys and/or its licensors, and
End-User agrees to make no claim of interest in or ownership of any such Intellectual Property
Rights. End-User further acknowledges that the structure, organization, and code of all software
embedded in or related to the Service and the Hardware are the valuable trade secrets of Qualys
and/or its licensors. End-User acknowledges that no title to the Intellectual Property Rights in the
Service or the Reports is transferred to End-User, and that End-User does not obtain any rights,
express or implied, in the Service or the Reports, including any information contained within the
Reports, other than the rights expressly granted in this Agreement.
11. Confidentiality. Each party agrees to keep in confidence any confidential or
proprietary information it receives from the other party hereunder Confidential Information").
Neither party shall disclose Confidential Information of the other party to third parties nor use
such Confidential Information for any purpose other than as expressly set forth in this Agreement.
To be accorded treatment as Confidential Information under this Agreement, the disclosing party
must identify any such information as confidential or proprietary at the time of disclosure.
Notwithstanding the marking requirement, all data regarding End-User's IP addresses, domain
names, Web Applications, or network characteristics including data that Qualys obtains as a
result of its provision of the Service hereunder) will be deemed Confidential Information of the
End-User, and all data and information contained within the Service or the Reports excluding
End-User's Confidential Information) and all information concerning or materially relating to the
Hardware, will be deemed Confidential Information of Qualys. Information that is already in the
public domain through no fault of the receiving party, or was already known to the receiving
party through no breach of a confidentiality obligation to the disclosing party, shall not be treated
as Confidential Information hereunder. End-User may not access, use or refer to any information
or data contained within the Service or the Reports except for the limited purpose of vulnerability
management with regard to the IP addresses or Web Applications for which End-User has
purchased a subscription package. Nothing in this Agreement shall prohibit Qualys from using
aggregated data of End-User in any format for any purpose, provided that such data cannot be
identified to or associated with End-User.
12. Identification of IP Addresses. a) Because of the sensitive nature of performing
security checks on IP addresses and/or Web Applications, End-User represents and warrants that
End-User has full right, power, and authority to consent to have the Service test for vulnerabilities
scan") the IP addresses, Web Applications, and/or domain names identified to Qualys for
scanning, whether electronically or by any other means, whether at the time of initial Registration
or thereafter. Without limiting any other remedy that Qualys may have, End-User agrees to
indemnify and hold Qualys and its Authorized Resellers harmless from and against any and all
liabilities, losses, damages, costs and expenses, including without limitation reasonable attorneys'
fees and costs, incurred by Qualys or such Authorized Reseller resulting from End-User's breach
of this Section 12(a). b) End-User also acknowledges and agrees that the scanning of such IP
addresses, Web Applications, and/or domain names may expose vulnerabilities and in some
Qualys Confidential 2009-06-01 4
BIB]
40696-U01
FULLY-U02
EXECUTED-U02
AGREEMENT-U02
QUALYSGUARD-U02
A-11986-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102664-U03
C5-U03
AGREEMENTS-U03
6/1/2011-U04
BOYDA-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
FULLY EXECUTED AGREEMENT QUAL���I����circumstances could result in the disruption of services at such site(s). Certain optional features of
the Service, including exploitive scans, involve substantial risk of Denial of Service DOS)
attacks, loss of service, hardware failure and loss or corruption of data. Consequently, End-User
agrees that it is End-User's responsibility to perform backups of all data contained in or available
through the devices connected to End-User's IP addresses, Web Applications, and/or domain
names prior to invoking the use of the Service.
13. Limited Warranty. a) Qualys warrants that, for the duration each particular
Hardware unit's subscription the Warranty Period"), such Hardware, when operated by End-
User in accordance with the applicable documentation and specifications, will function without
Error. For purposes of this Agreement, an Error" is a reproducible operational error that causes
the Hardware to operate at material variance from its then-current specifications. End-User's
exclusive remedy for breach of this warranty is to notify Qualys of the Error in writing during the
Warranty Period, whereupon Qualys, as its sole obligation and liability, will at its election, either:
i) repair or replace the Hardware such that it operates without Error; or ii) accept return of the
Hardware and refund to End-User a pro-rata portion of the subscription fee paid for such
Hardware. Any error correction provided to End-User will not extend the original Warranty
Period. This Section 13(a) sets forth End-User's sole and exclusive remedy and Qualys' entire
liability to End-User for any Error or other malfunction in the Hardware. b) EXCEPT AS
EXPRESSLY PROVIDED IN SECTION 13(a), AND TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, THE HARDWARE, SERVICE, REPORTS AND API
ARE PROVIDED AS IS," AND QUALYS EXPRESSLY DISCLAIMS ALL WARRANTIES
AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT
NOT LIMITED TO ALL IMPLIED OR STATUTORY WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUALITY,
ACCURACY AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. Without limitation to
the foregoing, Qualys makes no warranty that the Hardware, Service, Reports or API will be
error-free, complete, free from interruption or failure, or absolutely secure from unauthorized
access. Nor does Qualys guarantee that the Hardware or Service will detect every vulnerability to
End-User's network. Qualys does not warrant that the Service or the Reports meet the Criteria of
any Card Program; nor should End-User rely on a Pass" designation in a Report or the
statements of Qualys personnel regarding a Card Program as an indication that End-User's
network is secure. c) No person, dealer, or company may alter this disclaimer of warranties.
14. Indemnification. Qualys will defend, indemnify and hold harmless End-User from
and against any and all claims, losses, liabilities, damages and expenses including, without
limitation, reasonable attorneys' fees) arising from any claim brought against End-User by a third
party alleging that the Service, Hardware, API or Reports infringe or misappropriate a third
party's intellectual property or proprietary rights, provided that End User grants Qualys sole
control over defense or settlement of such claim and cooperates reasonably in the defense or
settlement of such claim. If End-User's use of the Service, Hardware, API or Reports is enjoined
as a result of such a claim of infringement, or if Qualys determines that it is likely to be so
enjoined, Qualys will, at its option, a) procure for End-User the right to continue using the item
in accordance with its rights under this Agreement, b) replace or modify the item with a
substantially equivalent non-infringing item; or c) terminate this Agreement and refund to End-
User a pro-rata portion of the amounts paid by End-User hereunder in connection with the
Agreement based on the unexpired portion of the Subscription at the time of such termination.
This Section 14 states Qualys' sole liability and End-User's sole and exclusive remedy for a
claim of infringement related to the Service, Hardware, API or Reports.
Qualys Confidential 2009-06-01 5
BIB]
40696-U01
FULLY-U02
EXECUTED-U02
AGREEMENT-U02
QUALYSGUARD-U02
A-11986-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102664-U03
C5-U03
AGREEMENTS-U03
6/1/2011-U04
BOYDA-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
FULLY EXECUTED AGREEMENT QUAL���I����15. Limitation of Liability. UNDER NO CIRCUMSTANCES AND UNDER NO
LEGAL THEORY, WHETHER IN TORT, CONTRACT OR OTHERWISE, SHALL QUALYS,
ITS SUCCESSORS OR ASSIGNS, OR ANY AUTHORIZED RESELLER, BE LIABLE TO
END-USER UNDER THIS AGREEMENT FOR ANY LOSS OF PROFITS, LOSS OR
CORRUPTION OF DATA, EQUIPMENT, WEB APPLICATION OR NETWORK
DOWNTIME, OR FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL OR
EXEMPLARY DAMAGES OF ANY KIND WHATSOEVER ARISING FROM OR RELATED
TO THIS AGREEMENT OR END-USER'S USE OR INABILITY TO USE THE HARDWARE,
SERVICE, REPORTS OR API, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL QUALYS' AND ITS
AUTHORIZED RESELLERS' TOTAL LIABILITY TO END-USER FOR ALL DAMAGES IN
ANY ONE OR MORE CAUSES OF ACTION, WHETHER IN CONTRACT, TORT OR
OTHERWISE, EXCEED THE AMOUNTS PAID BY END-USER FOR THE SERVICE
DURING THE TWELVE MONTHS PRECEDING THE ACCRUAL OF SUCH ACTION. The
foregoing provisions shall be enforceable to the maximum extent permitted by applicable law.
This Section shall survive the termination or expiration of this Agreement.
16. U.S. Government Rights. For purposes of this Agreement, commercial computer
software" means software developed or regularly used for nongovernmental purposes which i)
has been sold, leased, or licensed to the public, ii) has been offered for sale, lease or license to
the public; iii) has not been offered, sold, leased, or licensed to the public but will be available
for commercial sale, lease, or license in time to satisfy the delivery requirements of this
Agreement; or iv) satisfied a criterion expressed in i), ii), or iii) of this clause and would
require only minor modification to meet the requirements of this Agreement. If acquired by or on
behalf of a civilian agency, the U.S. Government acquires this commercial computer software
and/or commercial computer software documentation and other technical data subject to the terms
of this Agreement as specified in 48 C.F.R. 12.212 Computer Software) and 12.211 Technical
Data) of the Federal Acquisition Regulation FAR") and its successors. If acquired by or on
behalf of any agency within the Department of Defense DOD"), the U.S. Government acquires
this commercial computer software and/or commercial computer software documentation subject
to the terms of this Agreement as specified in 48 C.F.R. 227.7202-3 of the DOD FAR
Supplement DFARS") and its successors. This U.S. Government Rights clause is in lieu of, and
supersedes, any other FAR, DFARS, or other clause or provision that addresses Government
rights in computer software or technical data under this Agreement.
17. United States Export Restrictions. End-User may not download, export, or re-
export any software or technical data received hereunder, including software and technical data
embedded in the Hardware, regardless of the manner in which received, a) into, or to a national
or resident of, any country to which the United States has embargoed goods, or b) to anyone on
the United States Treasury Department's list of Specially Designated Nationals or the U.S.
Commerce Department's Table of Denial Orders. By using the Service, End-User is representing
and warranting that End-User is not located in, under the control of, or a national or resident of
any such country or on any such list.
18. General. This Agreement is governed by the laws of the United States and the State
of California, without reference to conflict of laws principles. The application of the United
Nations Convention of Contracts for the International Sale of Goods is expressly excluded. Any
dispute between End-User and Qualys regarding this Agreement will be subject to the exclusive
jurisdiction of the state and federal courts in the State of California. This Agreement is the entire
agreement between End-User and Qualys and supersedes any other communications or
advertising with respect to the Service and documentation, including any online agreement
Qualys Confidential 2009-06-01 6
BIB]
40696-U01
FULLY-U02
EXECUTED-U02
AGREEMENT-U02
QUALYSGUARD-U02
A-11986-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102664-U03
C5-U03
AGREEMENTS-U03
6/1/2011-U04
BOYDA-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
FULLY EXECUTED AGREEMENT QUAL���I����presented to End-User during Registration or any additional terms or conditions submitted by
End-User, whether part of a purchase order or otherwise. If any provision of this Agreement is
held invalid, the remainder of this Agreement will continue in full force and effect. No provision
of this Agreement shall be deemed waived or modified except in a writing signed by an
authorized representative of Qualys. End-User may not assign this Agreement except pursuant to
a merger, or sale of all or substantially all of End-User's assets without the prior written consent
of Qualys. All notices or approvals under this Agreement shall be directed to the billing addresses
as set forth below or as may be revised in writing from time to time. The parties to this
Agreement are independent contractors. Neither party is an agent, representative, joint venturer,
or partner of the other party. Neither party shall have any right, power or authority to enter into
any agreement for or on behalf of, or incur any obligation or liability of, or to otherwise bind the
other party. Each party shall bear its own costs and expenses in performing this Agreement.
IN WITNESS WHEREOF, the parties by their duly authorized representatives agree to and
accept all terms herein, effective as of the date first written above.
QUALYS END-USER
1600 Bridge Parkway, Suite 201 Billing address:
Redwood Shores, CA 94065 USA
E.NTERE(
Shipping Address: same as billing
Rtfdi~br
County
k1l
Jtlpt cl Cg2(6,j
TRACI A. K!RKSRJDE
C44l b
0% A'Vle
s-~q-((
Qualys Confidential 2009-06-01 7
BIB]
40696-U01
FULLY-U02
EXECUTED-U02
AGREEMENT-U02
QUALYSGUARD-U02
A-11986-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102664-U03
C5-U03
AGREEMENTS-U03
6/1/2011-U04
BOYDA-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012
FULLY EXECUTED AGREEMENT QUAL���I����UALYS�
ON D M AND SECt RITv
Qualys, Inc
1600 Bridge Parkway
2nd Floor
Redwood Shores CA 94065
United States
Bill To
Information Technology
County of Monterey
1590 Moffett St
Salinas CA 93905
United States
Quotation
Ship To
Information Technology
County of Monterey
1590 Moffett St
Salinas CA 93905
United States
QG-E 12 QualysGuard Enterprise
* Scheduled and on demand
security scans
* Unlimited user accounts
* Unlimited network discovery
maps
* Executive-level & detailed
technical reports
* QualysGuard PCI is bundled at
no added cost
* 24x7 email and telephone
Customer Support
QG-SA 12 Scanner Appliance--Subscription
* Daily signature updates
* Warranty for life of subscription
Credit Card Payments: Contact your Account Manager.
Qualys does not accept credit card payments over $25,000
50
Date 10/7/2010
Quotation # 24709
Valid Until 6/30/2011
Contact Trent Buttars
Contact Phone 707) 469-9875
Contact Fax 415) 276-2365
Contact Email tbuttars@qualys.com
Currency USA
Terms
Anticipated Start Date
6/30/2011
5950 6000
Total
88,603.90
6 8,970.00
$97,573.90
Plus taxes and shipping as required
By:
Name Title
Date
Purchase Order #
BIB]
40696-U01
FULLY-U02
EXECUTED-U02
AGREEMENT-U02
QUALYSGUARD-U02
A-11986-U02
LI21329-U03
FO96183-U03
FO96184-U03
FO99716-U03
MG99754-U03
AS99780-U03
AS99784-U03
AI100808-U03
DO102664-U03
C5-U03
AGREEMENTS-U03
6/1/2011-U04
BOYDA-U04
16414-U05
1-U06
A.-U07
APPROVE-U07
AUTHORIZE-U07
ON-U07
BEHALF-U07
OF-U07
THE-U07
INFORMATION-U07
TECHNOLOGY-U07
DEPARTMENT,-U07
THE-U07
MONTEREY-U07
COUNTY-U07
193-INFORMATION-U08
TECHNOLOGY-U08
JOSEPHS-U09
CHARLOTTE-U09
JOSEPHSC-U10
4/21/2011-U011
CONTRACTS/PURCHASING-U012
OFFICER-U012
TO-U012
SIGN-U012
THE-U012
QUALYS,-U012
INC.-U012
GUARD-U012
TOOL-U012
SOFTWARE-U012
APPLICATION-U012
END-U012
USER-U012
AGREEMENT,-U012
SECURITY-U012
VULNERABILITY-U012
IDENTIFICATION-U012
REMEDIATION,-U012
IN-U012
AN-U012
AMOUNT-U012
TO-U012
EXCEED-U012
$97,574-U012
THE-U012
PERIOD-U012
OF-U012
JULY-U012
1,-U012
2011-U012
THROUGH-U012
JUNE-U012
30,2012;-U012
B.-U012
ACCEPT-U012
NON-STANDARD-U012
COUNTY-U012
LIABILITY-U012
INDEMNIFICATION-U012
PROVISIONS-U012
AS-U012
RECOMMENDED-U012
BY-U012
THE-U012
DIRECTOR-U012
OF-U012
INFORMATION-U012
TECHNOLOGY.-U012