Description of Services

About the Drupal Association

The Drupal Association serves one of the largest global open source communities - Drupal, which has pioneered open source for more than 18 years. We make an important impact by building the tools that help our community build Drupal. We serve a diverse community - including coders, site builders, content editors, business people, themers, agency owners and more. Through conferences, webinars, marketing support and most importantly, maintaining Drupal.org, we reach many thousands of people a year in our quest to support and grow the Drupal Project.

The Drupal Association is an educational non-profit organization (501c3) that tasks itself with fostering and supporting the Drupal software project, the community and its growth. Supported by both individual members and organizations, the Association uses its resources, network and funds to constantly engage in new projects and initiatives to help educate people about Drupal and support the growth of the Drupal project.

The mission of the Drupal Association is to unite a global open source community to build, secure, and promote Drupal.

About the Security Working Group & Drupal Security Team

The mission of the Drupal Security Working Group ("Security Working Group" or "SecWG") is to ensure that Drupal core and Drupal's contributed project ecosystem provide world-class security, and to provide security best practices for site builders and module developers.

The SecWG acts as a volunteer body to review objective and subjective measures of the Drupal Security Team, maintain processes focused on resolution and communication of security issues in an efficient manner, and ensure the Drupal Security Team has the resources (both technical and membership-wise) and processes to work well.

Led by the SecWG, the Drupal Security Team is a body of volunteers and sponsored contributors that manages the daily work of coordinating with project maintainers to resolve security issues, following the responsible disclosure process for PSAs, deprecating unsupported modules, and more. More information about Drupal Security Team processes can be found on Drupal.org.

Product / Service Description

The Drupal Steward program ("Drupal Steward" or "Program") is a joint program of the Drupal Association and the Drupal Security Working Group to provide a service to the Drupal community. The Drupal Steward service will provide site owners with peace of mind for both small and large site owners, in the event of a highly critical vulnerability. In particular, Drupal Steward offers a coordinated program to implement Web Application Firewall rules to protect Drupal sites from known vulnerabilities, in the period before patches for these vulnerabilities can be released and deployed.

Eligible Vulnerabilities

By its very nature, a Web Application Firewall solution can only protect sites from certain kinds of vulnerabilities - for example those that involve manipulation of GET/POST information or malicious construction of url strings.

The Security Working Group will be responsible for determining which vulnerabilities are eligible for coverage in the Drupal Steward program. At their discretion, inclusion may be limited to only highly critical, mass exploitable vulnerabilities in Drupal Core, however they may also opt to extend this program vulnerabilities outside of Drupal Core, or of different criticality.

Scope of Agreement

This Agreement allows the Customer to sign up their own sites or their client sites to the Drupal Steward program, to be protected mitigations implemented for any qualifying vulnerabilities disclosed by the Security Working Group as part of said program. Without limiting the other obligations set forth in this Exhibit or the Agreement, the parties agree to the following:

The Drupal Association and Security Working Group will:

• Inform the Customer of upcoming vulnerabilities that will be included in the Program, via Public Service Announcements posted to Drupal.org.
• As needed, consult with the Customer to answer questions related to the vulnerability as necessary to refine the mitigation, or to resolve false positives or other unexpected findings discovered while implementing the mitigation.

The Customer may:

• Notify stakeholders or clients of a SecWG published PSA for a vulnerability that will be covered by the Drupal Steward program.
• Notify stakeholders or clients of a published PSA for any vulnerabilities that will not be covered by the Drupal Steward program. (But of course may indicate the Customer's alternative mitigation strategy).

The Customer may not:

• Deliberately attempt to reverse engineer the vulnerabilities with intent to disclose them.
• If the Customer learns the details of the vulnerability, the Customer may not disclose the details of the vulnerability to any employer, contractor, or customer, unless those details have already been publicly disclosed.

All mitigations offered by Drupal Steward are offered without guarantee or warranty. The Drupal Association and Security Working Group does not accept any responsibility or liability for implementation of the mitigations.

Terms and Conditions

This document sets forth the terms and conditions of Customer's use of the website security services (the "Services"). Drupal Association reserves the right, under its sole discretion, to (1) update these terms and conditions at any time;  (2) assign the Agreement to any of its Affiliates; and (3) change the Drupal Association Party providing Services; provided that Drupal Association will provide Customer with prompt written notice, and provided that Drupal Association remains obligated and responsible for the actions of its Affiliate and/or other Drupal Association Party. For the purposes of this Agreement, "Affiliate" means with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party.

1. Services. Drupal Association will perform and provide the Services listed in the Description of Services. Customer will perform the services and fulfill the obligations described in the Description of Services.
2. No Guarantee. Customer acknowledges that security compromises can sometimes be exceptionally detrimental to a website, e.g., resulting in all content being deleted or replaced, and Drupal Association makes no guarantee of absolute security of Customer's or its end users' websites(s). Drupal Association will not be responsible for any loss or damage to Customer's or its end users' website(s) or data caused in whole or in part by a security breach. In addition, Customer acknowledges that there may be false positive security issues which may require significant investment to remediate, and the Drupal Association will not be responsible for compensating Customer for any such investment as the result of a false positive.
3. Term/Termination.
   1. These terms and conditions shall apply whenever the Customer has an active subscription to the Drupal Steward service.
   2. If either party materially breaches this Agreement during the Term, the other party may terminate immediately if the breaching party fails to cure such breach within forty-five (45) days after written notice of such breach.
   3. Upon termination of this Agreement for any reason, each party shall return to the other party, or destroy, any Confidential Information obtained from the other party, and, except as set forth in Sections 4(E) and 4(F) below, Customer agrees to pay Drupal Association all undisputed amounts due or accrued as of the date of such termination.
   4. If Drupal Association terminates the Agreement due to Customer's material breach, Customer is and will remain liable to Drupal Association for the entirety of the amounts due and owing.
   5. Sections 4 through 11 shall survive any termination or expiration of this Agreement.
4. Right to Refuse Service

   Drupal Association reserves the right to refuse service to or terminate the service of Customer for any lawful reason.

5. Warranty and Disclaimer.
   1. Drupal Association represents and warrants that: (a) it shall perform the Services in a professional and workmanlike manner in accordance with all applicable laws; and (b) it has all rights necessary to perform it obligations under this Agreement and that this Agreement does not conflict with any obligation Drupal Association has to any third party. If the Services fail to reasonably conform in all material respects with the foregoing representations and warranties, Drupal Association will at its own expense, as Customer's sole remedy for such breach, and within 45 days after notice, repair, replace, cure, re-perform, or correct those non-conforming Services.  If Drupal Association fails to replace or correct the Services within such period, or such longer period of time as the parties may agree on a case-by-case basis, then Customer may terminate this Agreement immediately and Drupal Association will refund a pro-rata portion of all prepaid fees under this Agreement.  Customer represents and warrants that: (a) it shall perform its obligations in a professional and workmanlike manner in accordance with all applicable laws; and (b) it has all rights necessary to perform it obligations under this Agreement and that this Agreement does not conflict with any obligation Customer has to any third party.
   2. EXCEPT AS SET FORTH IN THIS SECTION, DRUPAL ASSOCIATION DISCLAIMS ALL WARRANTIES, IMPLIED OR EXPRESS, INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY, NON- INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. WITHOUT LIMITING THE FOREGOING, GIVEN THE NATURE AND VOLUME OF MALICIOUS AND UNWANTED ELECTRONIC CONTENT, DRUPAL ASSOCIATION DOES NOT WARRANT THAT THE SERVICES ARE COMPLETE OR ACCURATE OR THAT DRUPAL ASSOCIATION WILL BE ABLE TO DETECT, REMOVE OR CLEAN ALL, OR ANY, MALICIOUS OR UNWANTED APPLICATIONS AND FILES. Customer is fully responsible for all liabilities and expenses of any type whatsoever that may arise on account of its activities, or those of its employees or agents, including satisfaction of its end users. Drupal Association will promptly notify Customer upon confirming that it is not able to remove or clean malware pursuant to the terms of this Agreement.
6. Ownership Rights; Licenses

   1. Drupal Association shall retain ownership of all right, title and interest in and to its preexisting software, technology and other intellectual property, as well as all data, materials, ideas, concepts, designs, techniques, know-how, inventions, works of authorship and any other information resulting from or arising in the course of performance of the Services, and all intellectual property rights related to the foregoing ("Drupal IP"). Drupal Association grants to Customer and its Affiliates during the Term of the Agreement a fully paid up, non-exclusive, royalty free, worldwide right to use Drupal IP as necessary to use the Services for Customer internal business purpose only.

   2. Customer shall retain ownership of all right, title and interest in and to its information, data and other intellectual property related to the Customer websites ("Customer IP"). Customer hereby grants Drupal Association a limited, non-exclusive, non-transferable license to use Customer IP solely in connection with Drupal Association's performance of the Services.
   3. Notwithstanding anything to the contrary, Drupal Association shall have the right to collect and analyze data relating to the use and performance of the Services, and may (i) use such data (during and after the Term of this Agreement) to improve and enhance the Services, and (ii) disclose such data in aggregate or other de-identified form in connection with its business, provided that such data does not include personally identifiable information and/or identify Customer or any of its customers.
   4. Customer may use Drupal Association's name, logo and other identifiers for the Services ("Trademarks") on or in Customer advertising and promotional for such Services; provided that Customer will: (a) only use Trademarks in the form and manner, and in accordance with the usage guidelines that Drupal Association specifically prescribes; and (b) upon termination of this Agreement for any reason, immediately cease all use of Trademarks. Customer will not use, register or take other action with respect to any Trademark used anywhere in the world by Drupal Association, except to the extent authorized in writing by Drupal Association in advance.
7. Indemnification. Drupal Association shall indemnify, defend and hold Customer harmless from and against any and all liabilities, judgments, awards, losses, damages, costs and expenses (including, but not limited to, reasonable attorneys' fees), arising from any third party claims that the Services provided by Drupal Association under this Agreement infringe the intellectual property rights of such third party. To qualify for such indemnification, Customer must: (i) give Drupal Association prompt written notice of any such claim no later than thirty (30) days after Customer learns of it, and (ii) allow Drupal Association to control, and fully cooperate with Drupal Association in, the defense and all related settlement negotiations. Upon notice of an alleged infringement, or if, in Drupal Association's opinion, such a claim is likely, Drupal Association shall have the right, at its option, to obtain the right to continue the provisions of the Services, substitute other services with similar operating capabilities and/or performance, or modify the Services (without detracting from function or performance) so that it is no longer infringing or subject to a third party claim. In the event that, after considering thoroughly such foregoing options, Drupal Association determines in good faith that none of the above options are reasonably available, Drupal Association may terminate this Agreement. In the event of such termination, Customer may as its sole and exclusive remedy, but without limiting Drupal Association's indemnification obligations, obtain a refund from Drupal Association of a pro rata portion of the prepaid fees paid for Services subscriptions. This Section states Drupal Association's entire liability under this Agreement for all third party claims of intellectual property infringement. Drupal Association shall not be responsible for any claim of infringement that arises from (i) the use of Services in a manner or in combination with products or services not provided by Drupal Association to the extent such claim would not have occurred except for such modifications, use or combination; (ii) the use of other than the latest available version of the Services made available to Customer 30 days after being notified by Drupal Association to update its version; or (iii) any use of the Service not in accordance with this Agreement or the applicable documentation or specifications where the infringement would not have occurred but for such Customer unauthorized use.
8. Limitation of Liability. IN NO EVENT SHALL DRUPAL ASSOCIATION OR ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, AFFILIATES, OR THIRD PARTY SERVICE PROVIDERS, BE LIABLE TO THE CUSTOMER OR ANY OTHER PERSON OR ENTITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING ANY THAT MAY RESULT FROM (I) PERSONAL INJURY OR PROPERTY DAMAGE OF ANY NATURE WHATSOEVER, (II) THIRD-PARTY CONDUCT OF ANY NATURE WHATSOEVER, (III) ANY UNAUTHORIZED ACCESS TO OR USE OF THE SERVICES, (IV) ANY INTERRUPTION OR CESSATION OF SERVICES, AND/OR (V) ANY LOSS OR DAMAGE OF ANY KIND INCURRED AS A RESULT OF CUSTOMER'S USE OF THE SERVICES, WHETHER BASED ON WARRANTY, CONTRACT, TORT, OR ANY OTHER LEGAL OR EQUITABLE THEORY, AND WHETHER OR NOT DRUPAL ASSOCIATION OR ANY OTHER PARTY IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING LIMITATION OF LIABILITY SHALL APPLY TO THE FULLEST EXTENT PERMITTED BY LAW, AND SHALL SURVIVE ANY TERMINATION OR EXPIRATION OF THIS AGREEMENT OR CUSTOMER'S USE OF THE SERVICES.  THE FOREGOING LIMITATIONS OF LIABILITY SHALL NOT APPLY TO OR LIMIT DRUPAL ASSOCIATION'S INDEMNIFICATION OBLIGATIONS UNDER THIS AGREEMENT.
9. Marketing / Publicity. Neither party may use or solicit any aspect of this Agreement to their audience, or customers without prior written consent from each party, except as explicitly defined in this Agreement.
10. Reseller. This Agreement does not allow Customer to sell the Service as a stand-alone service to an external audience. It's designed to be complementary to an organization's existing business model. Customer: (a) may advertise the Services under this Agreement as a complimentary service to their existing paying customers, (b) may leverage approved marketing imagery and messaging to help promote, educate and solicit interest within its customer base, (c) may not offer the Services under this Agreement as their own service publicly or as their own stand alone service, (d) must disclose exact Services under this Agreement to any potential purchaser to include or exclude, but not limited to monitoring, protection, remediation or any other services included in this Agreement, (e) may not publish pricing defined in this Agreement publicly, and (f) may not actively pursue and otherwise dissuade existing Drupal Association customers from using Services directly if they so desire.
11. General. Except as expressly permitted in this Agreement, neither  party may assign any of its rights or delegate any of its duties under this Agreement without the prior written consent of the other, except that no such consent is required for (i) assignment to any third party who succeeds to substantially all of the business or assets of the assignor (ii) assignment of the Agreement to a Customer's affiliate. This Agreement shall be binding on and inure to the benefit of the successors and permitted assigns of the parties. For all purposes of this Agreement each party shall be and act as an independent contractor and not as partner, joint venture, or agent of the other and shall not bind, nor attempt to bind, the other to any contract. All notices under this Agreement shall be in writing and shall be deemed given when personally delivered, when sent by confirmed fax, when emailed and recipient acknowledges receipt or three (3) days after being sent by prepaid certified or registered U.S. mail to the address of the party to be noticed as set forth herein or such other address as such party last provided to the other by written notice. This Agreement shall be governed by and construed in accordance with the federal law of the United States and the state law of Oregon, whichever is applicable, without regard to conflict of laws principles. Customer agrees that any action relating to or arising out of this Agreement shall be brought in the state or federal courts of Multnomah County, Oregon, and Customer hereby consents to (and waives all defenses of lack of personal jurisdiction and forum non conveniens with respect to) jurisdiction and venue in the state and federal courts of Multnomah County, Oregon. Customer agrees to waive the right to trial by jury in any action or proceeding that takes place relating to or arising out of this Agreement. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys' fees. If any portion of this Agreement is determined by any competent court to be illegal or unenforceable, such portion(s) shall be limited or excluded from this Agreement to the minimum extent required so that this Agreement shall otherwise remain in full force and effect and enforceable. Each party shall be responsible for compliance with all applicable laws, rules and regulations, if any, related to the performance of its obligations under this Agreement. This Agreement, including all Exhibits a part hereof, contains the entire understanding of the parties regarding its subject matter and can only be modified or waived by a subsequent written agreement signed by both parties. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same agreement.