Breach Services Program Terms (Terms)

Breach Services Program Terms (Terms)

These Terms together with the applicable Breach Services Engagement (Engagement) form the Agreement. This Agreement is between the Norton entity (Norton) and the company (Company) identified in the Engagement and relates to Company’s participation in the Norton Breach Services Program (Program). Capitalized terms used but not defined in these Terms are set out in the Engagement.

1. Program; Services. As a participant in the Program, Company may offer the ITP Services to Prospective End Users in the Territory as specified in the Engagement. When the Prospective End User is enrolled into the ITP Services and their account is activated, they enter a direct and independent relationship with Norton (End User), governed by Norton’s end user license agreement and global privacy statement (End User Terms). End User Terms must be accepted before ITP Services begin. Norton will provide such ITP Services to each End User for the duration of each paid ITP Services term. Company may choose to purchase additional services, as specified in the Engagement (Additional Services). ITP Services and Additional Services are collectively the Services.

2. Partner Engagement. Any partner referring a Company wishing to participate in the Program (Partner) must enter into a separate agreement with Norton (Breach Services Partner Agreement) before introducing Company to Norton. Company and Norton must separately enter into an Engagement before Norton can provide the Services. Partner must be specified on the Engagement and the Engagement will specify if Company or Partner will pay Norton for the Services. Where Partner is paying for the Services, Partner will pay Norton in accordance with the Breach Services Agreement. Company and Partner may separately agree fees for the Services.

3. Enrollment Process and Requirements. Norton will provide a promotion code or website link, and ITP Services enrollment instructions, for Company to provide to Prospective End Users. Company may not directly enroll any Prospective End User for ITP Services. Prospective End Users must provide the required enrollment information directly to Norton to enroll in or access the ITP Services (Enrollment Information). Norton may either reduce or cancel the Services to End Users without any liability for: (a) incomplete or inaccurate Enrollment Information, (b) End User’s failure to fully activate the Services or (c) an End User that is unable to be verified for the particular Service. Norton will not accept any reduction in fees for the reduced or cancelled Services.

4. Payment. Unless Partner is paying Norton for the Services, Company shall pay all fees within 30 days of date of invoice (Due Date). Company is responsible for and will pay all sales, use and other applicable taxes due in connection with the Services, excluding tax due on Norton’s income. Fees paid are nonrefundable and Company’s obligation to pay all fees specified in an Engagement are noncancellable. If any amounts are not paid by the Due Date, Norton may (i) suspend or terminate the Services; or (ii) charge late payment fees of the greater of 1.5% per month or the highest rate permissible by law on the unpaid amount.

5. Confidentiality. If a party receives the other’s designated confidential or proprietary information, it may only be used for the Program and to fulfill this Agreement. Sharing it with third parties is not allowed except when the Company needs to share it with their Partner or as legally required.

6. Company Duties. Company will not represent Norton as an insurance company, or as providing any insurance or credit repair services to Prospective End Users. The Services are provided in connection with a breach (or anticipated potential future breach) of personal data that is processed and/or controlled by Company, its affiliates, or its or their third parties. The parties agree that Company is solely responsible and liable for: (i) such breach and all communications, acts and omissions relating to the breach including without limit the content, format, timing and delivery method of all notifications and responses to Frequently Asked questions (FAQ’s), and for the accuracy of all data and information provided to Norton including without limit any Prospective End User mailing lists (where applicable) and (ii) obtaining independent legal advice in relation to all breaches, anticipated breaches, and related notifications, FAQ’s, remediation and mitigation efforts. Parties acknowledge and agree that the Services do not include, and Norton does not provide, any legal advice or recommendations of any kind and no statements or actions by Norton shall be relied on as legal advice. Company will hold Norton harmless for any breach of the rights and obligations set out under this section and for any liability arising in the event that Norton terminates the Agreement for Company’s breach.

7. Disclaimers. Norton makes no express or implied warranties or representations of any kind. Company is not permitted to make any warranties and representations on Norton’s behalf.

8. Limitation of liability. To the extent allowed by applicable law, neither party shall be liable for any indirect, special or consequential damages and Norton’s total liability under or in connection with the Agreement is limited to net revenue received by Norton for the provision of the Services in the 12 months before the dispute. Notwithstanding the foregoing, nothing in this Agreement will seek to exclude either party’s liability for fraudulent misrepresentation, willful misconduct, gross negligence, death, personal injury or any other liability to the extent that such liability may not be excluded or limited under applicable law.

9. Termination. Either Party may terminate the Agreement with immediate effect for material breach if such breach is not cured within 30 days after written notice of such breach. Termination of the Agreement or of a Company’s relationship with Partner or of an End User’s relationship with Company shall not terminate the provision of ITP Services to any End User for the remainder of the paid ITP Services term. Upon any expiration or termination the rights granted under this Agreement are immediately revoked.

10. General. All notices must be sent to the addresses specified in the Engagement with a copy to Legal.Department@gendigital.com. Norton and its licensors own all worldwide rights, title, and interests in and to its intellectual property including without limit the Services and related documentation. Company acquires no rights or licenses. This Agreement may not be assigned without prior written consent, except to a party’s affiliates or successors in a merger, acquisition or asset sale. A party’s waiver or failure to exercise any right or require performance under the Agreement is not a waiver of any further failure. The Agreement is governed exclusively by the laws as specified below without regard to principles of conflicts of law. If Company is based in EMEA: The laws of Ireland. Venue for any legal action will be the Irish courts, Dublin; If Company is based in Japan: The laws of Japan. Venue for any legal action will be the Japanese courts; If Company is based in the Asia Pacific region: The laws of Singapore. Venue for any legal action will be the courts of Singapore. If Company is based in the Americas: The laws of California. Venue for any legal action will be the courts of Santa Clara County, California. In the event of translation, the English version shall prevail. Company waives any right to have this Agreement officially written in the language of the applicable Territory where applicable. Each party is not an agent or subcontractor of the other and has no right to represent or create any obligation on behalf of the other. Not all Services or Service features may be available in all jurisdictions. The parties may not make reference to the other party for marketing or publicity purposes without prior written consent. The parties agree that no double recovery by Company and any Partner will be permitted under this Agreement. Duplicate claims against Norton by Company and Partner must be combined. Any legal action arising in connection with the Agreement must be filed within 1 year of the date that such cause of action arises. All statutory limitation periods (whether arising in contract, tort or otherwise) are expressly excluded. This is the entire agreement between the parties for the Services and changes to these Terms must be made in writing and be signed by both parties but the parties may modify the Engagement as mutually agreed in writing by their authorized representatives. Each party will comply with all applicable laws and regulations, including export compliance, anti-money laundering and anticorruption laws.

11. Additional Services. The following applies only to the extent that any applicable Additional Services are specified in an Engagement. For the avoidance of doubt, not all Additional Services are available in all countries.

Additional Services available in Australia and New Zealand only.

A.  Call Center Services. Norton will provide inbound telephone support to assist Prospective End Users with enrollment in ITP Services and answer specific frequently asked questions (FAQ) during the agreed Enrollment Period. Following enrollment, End Users may contact Norton’s Member Services for ITP Services support.
I.  Proposal. Company will provide Norton with information describing the Company’s business drivers. This information may include (i) anticipated notice deadlines, (ii) number of individuals to receive Services, (iii) minors affected, (iv) selection of any ITP Services, (v) anticipated call volumes, and (vi) call center FAQs.
II.  Company’s FAQ. Norton or Partner will provide Company with a template of the FAQs for Company to complete. Company must return this to Norton in the same format it was received.
III.  Set Go-live Date. Company must schedule a final go-live date. A final go-live date must be set at least 5 days after all FAQ questions and responses have been finalized (or this may be sooner depending on the size of Prospective End Users).
IV.  Go-live and service level requirements. Starting at 12:00 a.m. (midnight) on the agreed upon final go-live date, the Norton call center will accept calls from the Company’s Prospective End Users. Norton call center support will be available weekly 24 x7.
V.  Reporting. On request, Norton will provide a member detail report specific to the Promotional Code.
VI.  Closing of the Enrollment Period and completion of Services. Upon completion of the Enrollment Period, Norton will discontinue supporting the FAQs. Prospective End Users will be advised that the Enrollment Period has ended. For Activated End Users, Norton will continue to provide call center support pursuant to the End User Terms.

Additional Services available in North America only.

A.  Mail Notification Services. Norton will engage a third party subcontractor to deliver Company’s personal data breach notification to Prospective End Users via the U.S. Postal Service. Norton will include with the notice ITP Services enrollment instructions including the applicable promotion code or website link.
I.  Proposal. Company will provide Norton with information describing the Company’s (i) anticipated notice deadlines, (ii) number of Prospective End Users (adults and minors), and (iii) volume and frequency of breach notification mailings. 
II.  Prospective End User List. Company must provide Norton with a list of Prospective End Users, in an Excel format, containing the first name, last name and mailing address for the entire population. The list must be formatted consistently with Norton’s guidelines, which will be provided to Company. If minors are included in the population, Company must include a column indicating which individuals are minors. The member list must be encrypted and sent using a secure distribution method as agreed by Norton.
III.  Validation. Norton, through its subcontractor, will validate the addresses contained in the Prospective End User list through the National Change of Address (NCOA) database. If during this validation process the NCOA database highlights any changes to the addresses (eg in the event of decedents, change of locations) this will be communicated to Company and Company shall have the choice as to which address(es) to mail to. If any addresses are not formatted in accordance with the formatting guidelines provided to Company, or if a Prospective End User’s address cannot be validated, that Prospective End User will be removed from the mailing list, and neither Norton nor its subcontractors will mail any correspondence to those individuals. Norton will notify Company regarding those Prospective End Users that are removed from the mailing list, and Company will not be entitled to a reduction in the applicable purchase price if a Prospective End User is removed from the mailing list pursuant to this section. Note that Company may incur additional fees in the event of multiple mailings. Norton is not responsible for correspondence not sent pursuant to this section and Company assumes the responsibility for all associated risks.
IV.  Notifications. Company will provide Norton with the opportunity to review the notification in advance of delivery. Company is solely responsible for the preparation, content and legal and regulatory compliance of all notifications, provided that Company shall not include in its notifications any representation about Norton or the Services (other than enrollment instructions as provided by Norton), or any information that could reasonably be interpreted as libelous, unlawful or unethical.
V.  Authorize Final Proof. Company will receive a final proof of the notification letter for Company’s approval within 1 business day of submission of a final draft to Norton’s mail services subcontractor by Company. Company must approve the final proof. If the Company requires multiple proofs, Company may incur additional fees. Any changes to the fees must be documented through a mutually executed change order.
VI.  Physical Production and Mail Drop Date. The notification letters will not be printed until Company has approved all final proofs. After the Company confirms the mail drop date, the notifications will be placed in the delivery channel with the U.S. Postal Service. A final mail drop date must be set at least 3 business days after the following are completed:
i. Company provides approval of all final proofs, and
ii. If applicable, all Call Center Service requirements and time frames, as documented on the Engagement, have been met. For clarification, if a Company is utilizing Call Center Services in addition to Mail Notification Services, a final mail drop date must be at least 5 business days after Norton receives all required deliverables.
VII. Completion of Mailing and Reporting. Following completion of the mailing, Norton will provide mailing confirmation for those letters mailed. Norton, through its subcontractor, will provide Company with returned mail updates as soon as reasonably possible after distribution. Norton is not responsible for correspondence returned pursuant to this section and Company assumes the responsibility for all associated risks.
VIII. Personal Data. Company shall only disclose Personal Data to Norton as required in the Prospective End User List described above and shall ensure that no Personal Data is provided to Norton unless all necessary consents, rights and authority have been obtained for Norton and its third parties to utilize the Personal Data for purposes of the Agreement and the provision of Mail Notification Services. Personal Data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

B.  Call Center Services. Norton will provide inbound telephone support to assist Prospective End Users with enrollment in ITP Services and answer specific frequently asked questions (FAQ) during the agreed Enrollment Period. Following enrollment, End Users may contact Norton’s Member Services for ITP Services support.
I.  Proposal. Company will provide Norton with information describing the Company’s business drivers. This information may include (i) anticipated notice deadlines, (ii) number of individuals to receive Services, (iii) minors affected, (iv) selection of any ITP Services, (v) anticipated call volumes, and (vi) call center FAQs.
II.  Company’s FAQ. Norton will provide Company with a template of the FAQs for Company to complete. Company must return this to Norton in the same format it was received.
III.  Set Go-live Date. Company must schedule a final go-live date. A final go-live date must be set at least 5 days after all FAQ questions and responses have been finalized (or this may be sooner depending on the size of Prospective End Users).
IV.  Go-live and service level requirements. Starting at 12:00 a.m. (midnight) on the agreed upon final go-live date, the Norton call center will accept calls from the Company’s Prospective End Users. Norton call center support will be available weekly 24 x7.
V.  Reporting. On request, Norton will provide call reports for the telephone number assigned to Company (TFN), which will include, (i) total calls; (ii) calls answered, and (iii) abandoned calls. Additionally, Norton will provide a member detail report specific to the Promotional Code.
VI.  Closing of the Enrollment Period and completion of Services. Upon completion of the Enrollment Period, Norton will discontinue supporting the FAQs. Additionally, the TFN will connect Prospective End Users to Norton’s main call center menu, and Norton will advise a Prospective End User that the Enrollment Period has ended. For Activated End Users, Norton will continue to provide call center support pursuant to the End User Terms.
VII.  FAQ Compliance. Company will provide Norton with an FAQ. Company’s statement FAQ cannot conflict with its press releases and other public-facing talking points. Company shall be fully responsible for the representations and consequences of the content of the FAQs that it provides to Norton for use with the Prospective End Users.

C.  Website Enrollment Services. Norton will make available a co-branded website through which Prospective End Users may enroll in ITP Services during the agreed Enrollment Period. The website will be comprised of Norton standard content and the Company provided FAQ, except as expressly agreed by the Parties in writing. Following the Enrollment Period, End Users may contact Norton’s Member Services for Service support. Company grants Norton a limited right and license to use and display the Company’s trademarks and logos during the Enrollment Period for the sole purpose of co-branding the enrollment website in order to provide the Website Enrollment Services. Norton will comply with Company’s branding guidelines as provided by Company in advance of website go-live.