Microsoft Cloud Agreement – Terms and Conditions

This Microsoft Cloud Agreement is entered into between the entity you represent, or, if you do not designate an entity in connection with a Subscription purchase or renewal, you individually (“Customer” or “you”), and Microsoft Corporation (“Microsoft”).  It consists of the terms and conditions below, Use Rights, SLA, and all documents referenced within those documents (together, the “agreement”).  It is effective on the date that your Reseller provisions your Subscription.  Key terms are defined in Section 15. Grants, rights and terms. All rights granted under this agreement are non-exclusive and non-transferable and apply as long as neither Customer nor any of its Affiliates is in material breach of this agreement.

1.  Software. Upon acceptance of each order, Microsoft grants Customer a limited right to use the Software in the quantities ordered.
   1. Use Rights. The Use Rights in effect when Customer orders Software will apply to Customer’s use of the version of the Software that is current at the time.  For future versions and new Software, the Use Rights in effect when those versions and Software are first released will apply.  Changes Microsoft makes to the Use Rights for a particular version will not apply unless Customer chooses to have those changes apply.
   2. Temporary and perpetual licenses. Licenses available on a subscription basis are temporary.  For all other licenses, the right to use Software becomes perpetual upon payment in full.
2. Online Services. Customer may use the Online Services as provided in this agreement.
   1. Online Services Terms. The Online Services Terms in effect when Customer orders or renews a subscription to an Online Service will apply for the applicable subscription term.  For Online Services that are billed periodically based on consumption, the Online Services Terms current at the start of each billing period will apply to usage during that period.
   2. Microsoft may suspend use of an Online Service during Customer’s violation of the Acceptable Use Policy or failure to respond to a claim of alleged infringement. Microsoft will give Customer notice before suspending an Online Service when reasonable.
   3. End Users.Customer controls access by End Users, and is responsible for their use of the Product in accordance with this agreement.  For example, Customer will ensure End Users comply with the Acceptable Use Policy.
   4. Customer Data. Customer is solely responsible for the content of all Customer Data.  Customer will secure and maintain all rights in Customer Data necessary for Microsoft to provide the Online Services to Customer without violating the rights of any third party or otherwise obligating Microsoft to Customer or to any third party.  Microsoft does not and will not assume any obligations with respect to Customer Data or to Customer’s use of the Product other than as expressly set forth in this agreement or as required by applicable law.
   5. Responsibility for your accounts. Customer is responsible for maintaining the confidentiality of any non-public authentication credentials associated with Customer’s use of the Online Services. Customer must promptly notify customer support about any possible misuse of Customer’s accounts or authentication credentials or any security incident related to the Online Services.
3. License transfers. License transfers are not permitted, except that Customer may transfer only fully-paid perpetual licenses to (1) an Affiliate or (2) a third party, solely in connection with the transfer of hardware or employees to whom the licenses have been assigned to the third party as part of (a) a divestiture of all or part of an Affiliate or (b) a merger involving Customer or an Affiliate. Upon such transfer, Customer and its Affiliates must uninstall and discontinue using the licensed Product and render any copies unusable.  Attempted license transfers that do not comply with this agreement are void.
4. Reservation of rights. Products are protected by copyright and other intellectual property rights laws and international treaties.  Microsoft reserves all rights not expressly granted in this agreement.  No rights will be granted or implied by waiver or estoppel.  Rights to access or use Software on a device do not give Customer any right to implement Microsoft patents or other Microsoft intellectual property in the device itself or in any other software or devices.
5. Restrictions. Customer may use the Product only in accordance with this agreement. Customer may not (and is not licensed to): (1) reverse engineer, decompile or disassemble any Product or Fix, or attempt to do so; (2) install or use non-Microsoft software or technology in any way that would subject Microsoft’s intellectual property or technology to any other license terms; or (3) work around any technical limitations in a Product or Fix or restrictions in Product documentation. Customer may not disable, tamper with, or otherwise attempt to circumvent any billing mechanism that meters Customer’s use of the Online Services.  Except as expressly permitted in this agreement or Product documentation, Customer may not distribute, sublicense, rent, lease, lend, resell or transfer and Products, in whole or in part, or use them to offer hosting services to a third party.
6. Preview releases. Microsoft may make Previews available.  Previews are provided “as-is,” “with all faults,” and “as-available,” and are excluded from the SLA and all limited warranties provided in this agreement.  Previews may not be covered by customer support.  Previews may be subject to reduced or different security, compliance, and privacy commitments, as further explained in the Online Services Terms and any additional notices provided with the Preview.  Microsoft may change or discontinue Previews at any time without notice.  Microsoft also may choose not to release a Preview into “General Availability.”
7. Verifying compliance for Products.
   1. Right to verify compliance. Customer must keep records relating to all use and distribution of Products by Customer and its Affiliates.  Microsoft has the right, at its expense, to verify compliance with the Products’ license terms.  Customer must promptly provide any information reasonably requested by the independent auditors retained by Microsoft in furtherance of the verification, including access to systems running the Products and evidence of licenses for Products that Customer hosts, sublicenses, or distributes to third parties. Customer agrees to complete Microsoft’s self-audit process, which Microsoft may request as an alternative to a third party audit.
   2. Remedies for non-compliance. If verification or self-audit reveals any unlicensed use of Products, then within 30 days (1) Customer must order sufficient licenses to cover its use, and (2) if unlicensed use is 5% or more, Customer must reimburse Microsoft for the costs Microsoft incurred in verification and acquire the necessary additional licenses at 125% of the price, based on the then-current price last and customer price level.  The unlicensed use percentage is based on the total number of licenses purchased for current use compared to the actual installed base.  If there is no unlicensed use, Microsoft will not subject Customer to another verification for at least one year.  By exercising the rights and procedures described above, Microsoft does not waive its rights to enforce this agreement or to protect its intellectual property by any other legal means.
   3. Verification process.Microsoft will notify Customer at least 30 days in advance of its intent to verify Customers’ compliance with the license terms for the Products Customer and its Affiliates use or distribute. Microsoft will engage an independent auditor, which will be subject to a confidentiality obligation.  Any information collected in the self-audit will be used solely for purposes of determining compliance.  This verification will take place during normal business hours and in a manner that does not unreasonably interfere with Customer’s operations.

Subscriptions, ordering.

1. 1. Choosing a Reseller. Customer must choose and maintain a Reseller authorized within its region.  If Microsoft or Reseller chooses to discontinue doing business with each other, Customer must choose a replacement Reseller or purchase a Subscription directly from Microsoft, which may require Customer to accept different terms.
   2. Available Subscription offers. The Subscription offers available to Customer will be established by its Reseller and generally can be categorized as one or a combination of the following:
      1. Online Services Commitment Offering. Customer commits in advance to purchase a specific quantity of Online Services for use during a Term and to pay upfront or on a periodic basis for continued use of the Online Service.
      2. Consumption Offering (also called Pay-As-You-Go).Customer pays based on actual usage with no upfront commitment.
      3. Limited Offering.Customer receives a limited quantity of Online Services for a limited term without charge (for example, a free trial) or as part of another Microsoft offering (for example, MSDN).  Provisions in this agreement with respect to the SLA and data retention may not apply.
      4. Software Commitment Offering. Customer commits in advance to purchase a specific quantity of Software for use during a Term and to pay upfront or on a periodic basis for continued use of the Software.
   3. Ordering.
      1. Orders must be placed through Customer’s designated Reseller. Customer may place orders for its Affiliates under this agreement and grant its Affiliates administrative rights to manage the Subscription, but, Affiliates may not place orders under this agreement. Customer also may assign the rights granted under Section 1.a and 1.b to a third party for use by that third party in Customer’s internal business.  If Customer grants any rights to Affiliates or third parties with respect to Software or Customer’s Subscription, such Affiliates or third parties will be bound by this agreement and Customer agrees to be jointly and severally liable for any actions of such Affiliates or third parties related to their use of the Products.
      2. Customer’s Reseller may permit Customer to modify the quantity of Online Services ordered during the Term of a Subscription. Additional quantities of Online Services added to a Subscription will expire at the end of that Subscription.
   4. Pricing and payment. Prices for each Product and any terms and conditions for invoicing and payment will be established by Customer’s Reseller.
   5. Renewal.
      1. Upon renewal of a Subscription, Customer may be required to sign a new agreement, a supplemental agreement or an amendment to this agreement.
      2. Customer’s Subscription will automatically renew unless Customer provides its Reseller with notice of its intent not to renew prior to the expiration of the Term.
   6. Eligibility for Academic, Government and Nonprofit versions.Customer agrees that if it is purchasing an academic, government or nonprofit offer, Customer meets the respective eligibility requirements listed at the following sites:
      1. For academic offers, the requirements for educational institutions (including administrative offices or boards of education, public libraries, or public museums) listed at http://go.microsoft.com/academic;
      2. For government offers, the requirements listed at http://go.microsoft.com/government; and
      3. For nonprofit offers, the requirements listed at http://go.microsoft.com/nonprofit. Microsoft reserves the right to verify eligibility at any time and suspend the Online Service if the eligibility requirements are not met.
   7. Taxes. The parties are not liable for any of the taxes of the other party that the other party is legally obligated to pay and which are incurred or arise in connection with or related to the transactions contemplated under this agreement, and all such taxes will be the financial responsibility of the party who is obligated by operation of law to pay such tax.

Term, termination.

1. 1. Agreement term and termination. This agreement will remain in effect until the expiration or termination of Customer’s Subscription, whichever is earliest.  Customer may terminate this agreement at any time by contacting its Reseller.  The expiration or termination of this agreement will only terminate Customer’s right to place new orders for additional Products under this agreement.
   2. Termination for cause. If either party breaches this Agreement, the other party may terminate the breached agreement (in whole or in part, including orders) upon notice.  If the breach is curable within 30 days, then the terminating party must provide 30 days’ notice to the breaching party and an opportunity to cure the breach.
   3. Cancel a Subscription. Customer’s Reseller will establish the terms and conditions, if any, upon which Customer may cancel a Subscription.
2. Warranties.

1. Limited warranty.
   1. Software. Microsoft warrants that each version of the Software will perform substantially as described in the applicable Product documentation for one year from the date Customer is first licensed for that version.  If it does not, and Customer notifies Microsoft within the warranty term, then Microsoft will, at its option, (1) return the price Customer paid for the Software license or (2) repair or replace the Software. The remedies above are Customer’s sole remedies for breach of the warranties in this section. Customer waives any breach of warranty claims not made during the warranty period.
   2. Online Services.Microsoft warrants that each Online Service will perform in accordance with the applicable SLA during Customer’s use.  Customer’s remedies for breach of this warranty are in the SLA.
2. The warranties in this agreement do not apply to problems caused by accident, abuse or use inconsistent with this agreement, including failure to meet minimum system requirements.  These warranties do not apply to free or trial products, Previews, Limited Offerings, or to components of Products that Customer is permitted to redistribute.
3. Except for the limited warranties above, Microsoft provides no warranties or conditions for Products and disclaims any other express, implied, or statutory warranties for Products, including warranties of quality, title, non-infringement, merchantability and fitness for a particular purpose.

Defense of third party claims. The parties will defend each other against the third-party claims described in this section and will pay the amount of any resulting adverse final judgment or approved settlement, but only if the defending party is promptly notified in writing of the claim and has the right to control the defense and any settlement of it.  The party being defended must provide the defending party with all requested assistance, information, and authority.  The defending party will reimburse the other party for reasonable out-of-pocket expenses it incurs in providing assistance.  This section describes the parties’ sole remedies and entire liability for such claims.

1. By Microsoft. Microsoft will defend Customer against any third-party claim to the extent it alleges that a Product or Fix made available by Microsoft for a fee and used within the scope of the license granted under this agreement (unmodified from the form provided by Microsoft and not combined with anything else), misappropriates a trade secret or directly infringes a patent, copyright, trademark or other proprietary right of a third party.  If Microsoft is unable to resolve a claim of infringement under commercially reasonable terms, it may, as its option, either: (1) modify or replace the Product or fix with a functional equivalent; or (2) terminate Customer’s license and refund any prepaid license fees (less depreciation on a five-year, straight-line basis) for perpetual licenses and any amount paid for Online Services for any usage period after the termination date.  Microsoft will not be liable for any claims or damages due to Customer’s continued use of a Product or Fix after being notified to stop due to a third-party claim.
2. By Customer. To the extent permitted by applicable law, Customer will defend Microsoft against any third-party claim to the extent it alleges that: (1) any Customer Data or non-Microsoft software hosted in an Online Service by Microsoft on Customer’s behalf misappropriates a trade secret or directly infringes a patent, copyright, trademark, or other proprietary right of a third party; or (2) Customer’s use of any Product or Fix, alone or in combination with anything else, violates the law or harms a third party.

Limitation of liability. For each Product, each party’s maximum, aggregate liability to the other under this agreement is limited to direct damages finally awarded in an amount not to exceed the amounts Customer was required to pay for the applicable Products during the term of this agreement, subject to the following:

1. Online Services. For Online Services, Microsoft’s maximum liability to Customer for any incident giving rise to a claim will not exceed the amount Customer paid for the Online Service during the 12 months before the incident; provided that in no event will Microsoft’s aggregate liability for any Online Service exceed the amount paid for that Online Service during the Subscription.
2. Free Products and distributable code. For Products provided free of charge and code that Customer is authorized to redistribute to third parties without separate payment to Microsoft, Microsoft’s liability is limited to direct damages finally awarded up to US$5,000.
3. In no event will either party be liable for loss of revenue or indirect, special, incidental, consequential, punitive, or exemplary damages, or damages for loss of use, lost profits, revenues, business interruption, or loss of business information, however caused or on any theory of liability.
4. The limits of liability in this section apply to the fullest extent permitted by applicable law, but do not apply to: (1) the parties’ obligations under section 6; or (2) violation of the other’s intellectual property rights.

Support and Professional Services. Customer’s Reseller will provide details on support services available for Products purchased under this agreement.  Support services may be performed by Reseller or its designee, which in some cases may be Microsoft.  If Customer purchases Professional Services under this agreement, the performance of those Professional Services will be subject to the terms and conditions in the Use Rights. Government Community requirements. Customer certifies that it is a member of the Community and agrees to use Government Community Cloud Services solely in its capacities as a member of the Community and for the benefit of end users that are members of the Community.  Use of Government Community Cloud Services by an entity that is not a member of the Community or to provide services to non-Community members is strictly prohibited.  Customer acknowledges that only Community members may use Government Community Cloud Services. All terms and conditions applicable to non-Government Community Cloud Services also apply to their corresponding Government Community Cloud Services, except as otherwise noted in the Use Rights and this Agreement. Customer may not deploy or use Government Community Cloud Services and corresponding non-Government Community Cloud Services in the same domain. Any Customer that uses Government Community Cloud Services must maintain its status as a member of the Community.  Maintaining status as a member of the Community is a material requirement for such services. Use Rights for Government Community Cloud Services.  For Government Community Cloud Services, notwithstanding anything to the contrary in the Use Rights:

1. Government Community Cloud Services will be offered only within the United States.
2. Additional European Terms, as set forth in the Use Rights, will not apply.
3. References to geographic areas in the Use Rights with respect to the location of Customer Data at rest, as set forth in the Use Rights, refer only to the United States.
4. All terms and conditions applicable to non-Government Community Cloud Services also apply to their corresponding Government Community Cloud Services, except as otherwise noted herein.
5. Customer may not deploy or use Government Community Cloud Services and corresponding non-Government Community Cloud Services in the same domain. Additionally, Office 365 US Government may not be deployed or used in the same domain as other Government Community Cloud Services.
6. Notwithstanding the Data Processing Terms section of the Online Services Terms, Office 365 GCC High and Azure Government Services are not subject to the same control standards and frameworks as the Microsoft Azure Core Services. The Compliance Trust Center Page describes the control standards and frameworks with which Office 365 GCC High and Azure Government Services comply.

Operational and Ordering Consideration for GCC High:

1. Customer (a) acknowledges that its Tenant administrator console (when available) will appear to include more licenses than it has ordered and is entitled to; and (ii) agrees that it must order licenses for every User account it assigns.Notwithstanding anything to the contrary in the order and Product Terms, Licenses will be deemed “Reserved” for each user (and thereby subject to a True-Up Order requirement in accordance with the terms and conditions of the order), as of the day that User’s account is reserved, unless a License for each such User is ordered in advance. Customer is solely responsible for keeping accurate records of the month each User is assigned to a User account, and will provide such records to Microsoft with its True-Up orders.
2. Customer acknowledges that (a) availability of its Office 3635 GCC High tenant may follow several weeks after its initial order, and (a) the service components provided pursuant to its orders for “Suite” SKUs such as E1 and E3, as listed in the Office 365 GCC High, may differ from those components available in similar suites available in other forms of Office 365 Services.
3. The parties acknowledge that, as of the date this Agreement was executed, the Office 365 ProPlus “click-to-run” (C2R) feature is not yet available in Office 365 GCC High, notwithstanding anything to the contrary in the Use Rights. Accordingly, the following terms and conditions shall apply:
   1. Until C2R functionality is made available, Customer may install up to two (2) local copies of Office Professional Plus for each User to whom E3 licenses are assigned, for the sole use of those assigned Users on Qualified Devices in Customer’s Enterprise.
   2. Once C2R functionality is made available (the “C2R release date,” to be announced in the Office 365 Service Descriptions), Customer must cease installing additional local copies of Office Professional Plus, and shall as soon as practicable (but in no event later than 12 months following the C2R release date) replace each local copy that was installed pursuant to the preceding paragraph with a C2R-installed copy.

ITAR Covered Services. This section applies to only the ITAR Covered Services, defined below, Customer buys under this Agreement.  These terms only apply if Customer provides express notice to Microsoft of its intent to manage ITAR controlled data in the Customer Data in accordance with the directions provided here:  https://azuregov.microsoft.com/regulationcollection.

1. Prerequisites:
   1. Customer is responsible for ensuring that the prerequisites established or required by the ITAR are fulfilled prior to introducing ITAR-controlled data into the ITAR Covered Services.
   2. Customer acknowledges that the ITAR Covered Services ordered by its under the Enrollment enable End Users optionally to access and use a variety of additional resources, applications, or services that are (a) provided by third parties, or (b) provided by Microsoft subject to their own terms of use or privacy policies (collectively, for convenience, “add-ons”), as described in services documentation and/or in the portal through which your administrator(s) will manage and configure the ITAR Covered Services.
   3. Customer is responsible for reviewing Online Services documentation, configuring the ITAR Covered Services, and adopting and implementing such policies and practices for your End Users’ use of ITAR Covered Services, together with any add-ons, as you determine are appropriate to comply with the ITAR or other legal or regulatory requirements applicable to you and not generally applicable to Microsoft as an IT service provider. Customer acknowledges that only ITAR Covered Services will be delivered subject to the terms of this Section. Processing and storage of ITAR-controlled data in other services, including without limitation add-ons, is not supported. Without limiting the foregoing, data that Customer elects to provide to the Microsoft technical support organization, if any, or data provided by or on Customer’s behalf to Microsoft’s billing or commerce systems in connection with purchasing or ordering ITAR Covered Services, if any, is not subject to the provisions of this Section.  Customer is solely responsible for ensuring that ITAR-controlled data is not included in support information or support case artifacts.
2. Special Terms. ITAR Covered Services. The ITAR Covered Services are cloud services operated in a standardized manner with features and processes common across multiple customers. As part of Customer’s preparation to use the ITAR Covered Services for the storage, processing, or transmission of ITAR-controlled data, Customer should review applicable services documentation. Customer’s compliance with the ITAR will be dependent, in part, on Customer’s configuration of the services and adoption and implementation of policies and practices for Customer’s End Users’ use of ITAR Covered Services. Customer is solely responsible for determining the appropriate policies and practices needed for compliance with the ITAR.
3. Personnel. Microsoft personnel and contractors authorized by Microsoft to access Customer Data (that may include ITAR-controlled data) in the ITAR Covered Services, will be limited to U.S. persons, as that term is defined in the ITAR. Customer may also authorize Microsoft personnel and contractors to access its Customer Data. Customer is solely responsible for ensuring any such authorization is permissible under the ITAR.
4. Use of Subcontractors.As set forth in the OST, Microsoft may hire subcontractors to provide services on its behalf. Any such subcontractors used in delivery of the ITAR Covered Services will be permitted to obtain Customer Data (that may include ITAR-controlled data) only to deliver the ITAR Covered Services Microsoft has retained them to provide and will be prohibited from using Customer Data for any other purpose. Storage and processing of Customer Data in the ITAR Covered Services is subject to Microsoft security controls at all times and, to the extent subcontractor personnel perform services in connection with ITAR Covered Services, they are obligated to follow Microsoft’s policies, including without limitation the geographic restrictions and controls selected by you in the configuration of the ITAR Covered Services. Microsoft remains responsible for its subcontractors’ compliance with Microsoft’s obligations.
5. Notification. The Security Incident handling process defined in the OST will apply to the ITAR Covered Services. In addition, the parties agree to the following:
   1. Customer acknowledges that effective investigation or mitigation of a Security Incident involving ITAR-controlled data may be dependent upon information or services configurations within Enrolled Affiliate’s control. Accordingly, proper treatment of ITAR-controlled data will be a joint obligation between Microsoft and Customer.  If Customer becomes aware of any unauthorized release of ITAR-controlled data to Microsoft or the use of a service other than the ITAR Covered Service to store, process, or transmit ITAR-controlled data, Customer will promptly notify Microsoft of such event and provide reasonable assistance and information necessary for Microsoft to investigate and report such event.
   2. If, subsequent to notification of a Security Incident by Microsoft, Customer determines that ITAR-controlled data may have been subject to unauthorized inspection or disclosure, it is Customer’s responsibility to notify the appropriate authorities of such event, or to notify impacted individuals, if Customer determines such notification is required under applicable law or regulation or Customer’s internal policies.
   3. If either party determines it is necessary or prudent to make a voluntary disclosure to the Directorate of Defense Trade Controls regarding the treatment of ITAR-controlled data in the Online Services, such party will work in good faith to notify the other party of such voluntary disclosure prior to providing such voluntary disclosure. The parties will work together in good faith in the development and reporting of any such voluntary disclosure.
6. Conflicts. If there is any conflict between any provision in this Section and any provision in the Agreement, this Section shall control.

IRS 1075 Covered Services. This section applies to only the IRS 1075 Covered Services, defined below, Customer buys under this Agreement. These terms only apply if Customer provides express notice to Microsoft of its intent to purchase IRS 1075 Covered Services in accordance with the directions provided here:  https://azuregov.microsoft.com/regulationcollection

1. Customer Prerequisites:
   1. Customer is responsible to ensure that the prerequisites established or required by IRS Publication 1075 are fulfilled prior to introducing FTI into the IRS 1075 Covered Services.
   2. Customer acknowledges that the IRS 1075 Covered Services ordered by Customer under the Subscription enable End Users optionally to access and use a variety of additional resources, applications, or services that are (a) provided by third parties, or (b) provided by Microsoft subject to their own terms of use or privacy policies (collectively, for convenience, “add-ons”), as described in services documentation and/or in the portal through which Customer’s administrator(s) will manage and configure the IRS 1075 Covered Services.
   3. Customer is responsible to review Online Services documentation, configure the services, and adopt and implement such policies and practices for Customer’s End Users’ use of IRS 1075 Covered Services, together with any add-ons, as Customer determines are appropriate in order for it to comply with IRS Publication 1075 or other legal or regulatory requirements applicable to Customer and not generally applicable to Microsoft as an IT service provider.
   4. Customer acknowledges that only IRS 1075 Covered Services will be delivered subject to the terms of this Section 11. No other services are supported by the terms of this Section 11.  Without limiting the foregoing, data that Customer elects to provide to the Microsoft technical support organization (“Support Data”), if any, or data provided by or on your behalf to Microsoft’s billing or commerce systems in connection with purchasing/ordering IRS 1075 Covered Services (“Billing Data”), if any, is not subject to the provisions of this Section 11. Customer is solely responsible for ensuring that FTI is not provided as Support Data or Billing Data.
2. IRS Publication 1075 Special Terms.
   1. IRS 1075 Covered Services. The IRS 1075 Covered Services are cloud services operated in a standardized manner with features and processes common across multiple customers. As part of Customer’s preparation to use the services for FTI, Customer should review applicable services documentation. Customer’s compliance with IRS Publication 1075 will be dependent, in part, on Customer’s configuration of the services and adoption and implementation of policies and practices for Customer’s End Users’ use of IRS 1075 Covered Services. Customer is solely responsible for determining the appropriate policies and practices needed for compliance with IRS Publication 1075.
   2. Attachment 1 contains the Safeguarding Contract Language for Technology Services specified by IRS Publication 1075. Microsoft and Customer have agreed that certain requirements of the Safeguarding Contract Language and IRS Publication 1075 will be fulfilled as set forth in the remainder of this section 11.
3. Personnel Records and Training. Microsoft will maintain a list of screened personnel authorized to access Customer Data (that may include FTI) in the IRS 1075 Covered Services, which will be available to you or to the IRS upon written request.  Customer will treat Microsoft personnel personally identifiable information (PII) as Microsoft trade secret or security-sensitive information exempt from public disclosure to the maximum extent permitted by applicable law, and, if required to provide such Microsoft personnel PII to the IRS, will require the IRS to treat such personnel PII the same.
4. Training Records.Microsoft will maintain security and disclosure awareness training records as required by IRS Publication 1075, which will be available to Customer upon written request.
5. Confidentiality Statement.Microsoft will maintain a signed confidentiality statement, and will provide a copy for inspection upon request.
6. Cloud Computing Environment Requirements.The IRS 1075 Covered Services are provided in accordance with the FedRAMP System Security Plan for the applicable services. Microsoft’s compliance with controls required by IRS Publication 1075, including without limitation encryption and media sanitization controls, can be found in the applicable FedRAMP System Security Plan.
7. Use of Subcontractors. Notwithstanding anything to the contrary in Attachment 1, as set forth in the OST, Microsoft may use subcontractors to provide services on its behalf. Any such subcontractors used in delivery of the IRS 1075 Covered Services will be permitted to obtain Customer Data (that may include FTI) only to deliver the services Microsoft has retained them to provide and will be prohibited from using Customer Data for any other purpose. Storage and processing of Customer Data in the IRS 1075 Covered Services is subject to Microsoft security controls at all times and, to the extent subcontractor personnel perform services in connection with IRS 1075 Covered Services, they are obligated to follow Microsoft’s policies. Microsoft remains responsible for its subcontractors’ compliance with Microsoft’s obligations.  Subject to the preceding, Microsoft may employ subcontractor personnel in the capacity of augmenting existing staff, and understands IRS Publication 1075 reference to employees to include employees and subcontractors acting in the manner specified herein. It is the responsibility of the Customer to gain approval of the IRS for the use of all subcontractors. Microsoft maintains a list of subcontractor companies who may potentially provide personnel authorized to access Customer Data in the Online Services, published for Azure branded services at http://azure.microsoft.com/en-us/support/trust-center/, or successor locations identified by Microsoft. Microsoft will update these websites at least 14 days before authorizing any new subcontractor to access Customer Data, Microsoft will update the website and provide Customer with a mechanism to obtain notice of that update.
8. Security Incident Notification.The Security Incident handling process defined in the OST will apply to the IRS 1075 Covered Services. In addition, the parties agree to the following:
   1. Customer acknowledges that effective investigation or mitigation of a Security Incident may be dependent upon information or services configurations within your control.Accordingly, compliance with IRS Publication 1075 Incident Response requirements will be a joint obligation between Microsoft and Customer.
   2. If, subsequent to notification from Microsoft of a Security Incident, Customer determines that FTI may have been subject to unauthorized inspection or disclosure, it is Customer’s responsibility to notify the appropriate Agent-in-Charge, TIGTA (Treasury Inspector General for Tax Administration) and/or the IRS of a Security Incident, or to notify impacted individuals, if Customer determines this is required under IRS Publication 1075, other applicable law or regulation, or Customer’s internal policies.
9. Customer Right to Inspect.
   1. 1. Audit by Customer.Customer will, (i) be provided quarterly access to information generated by Microsoft’s regular monitoring of security, privacy, and operational controls in place to afford you an ongoing view into the effectiveness of such controls, (ii) be provided a report mapping compliance of the IRS 1075 Covered Services with NIST 800-53 or successor controls, (iii) upon request, be afforded the opportunity to communicate with Microsoft’s subject matter experts for clarification of the reports identified above, and (iv) upon request, and at Customer’s expense, be permitted to communicate with Microsoft’s independent third party auditors involved in the preparation of audit reports. Customer will use this information above to satisfy with any inspection requirements under IRS Publication 1075 and agree that the audit rights described in this section are in full satisfaction of any audit that may otherwise be requested by the Customer.
      2. Confidentiality of Audit Materials.Audit information provided by Microsoft to Customer will consist of highly confidential proprietary or trade secret information of Microsoft. Microsoft may request reasonable assurances, written or otherwise, that information will be maintained as confidential and/or trade secret information subject to this agreement prior to providing such information to Agency, and Agency will ensure Microsoft’s audit information is afforded the highest level of confidentiality available under applicable law.
      3. This Section,11.i., is in addition to compliance information available to Customer under the OST.

Criminal Justice Information Services (CJIS). This section applies only to the Azure Government CJIS Covered Services, defined below, Customer buys under this Agreement. These terms only apply if Customer provides express notice to Microsoft of its intent to purchase CJIS Covered Services in accordance with the directions provided here:  https://azuregov.microsoft.com/regulationcollection.

1. Customer’s Prerequisites
   1. Microsoft’s representations as it relates to its CJIS Covered Services’ compliance with the FBI Criminal Justice Information Systems (“CJIS”) Security Addendum (Appendix H of FBI CJIS Policy) are subject to Customer’s incorporation of applicable state-specific CJIS Amendment terms and conditions into Customer’s Subscription.They are also subject to Customer’s incorporation and flow down of such terms in Customer’s contracts with a Covered Entity.
   2. Please visit https://www.microsoft.com/en-us/TrustCenter/Compliance/CJISfor additional information about CJIS Covered States and CJIS Covered Services. Note that not all states are CJIS Covered States and that different CJIS Covered Services may apply in different CJIS Covered States.  For more information about how to sign up for CJIS Covered Services through an Enterprise Agreement, please visit https://azure.microsoft.com/en-us/pricing/enterprise-agreement/.  For purposes of this section, if Customer is not in a CJIS Covered State, then Microsoft is unable to provide CJIS-related representations at this time, and no CJIS Amendment will apply.
   3. Customer can access the terms and conditions of Microsoft’s adherence to the FBI CJIS Policy by contacting the CSA in a CJIS Covered State. The Security Addendum for Private Contractors (Cloud Providers) referenced in the FBI CJIS Policy and CSA-provided terms and conditions is incorporated herein by reference, and Customer acknowledges that Microsoft’s support for CJI will be in accordance with those terms agreed to and/or signed by the applicable state CSA.  Customer also acknowledges that it is Customer responsibility to contact the applicable state CSA for this and any additional information.  Customer is required to, and acknowledges it will, work directly with the applicable state CSA for any CJIS-related documentation and audit requirements.
   4. Customer is responsible to ensure that the CJIS Security Addendum has been signed by the CSA, that the CSA has approved Customer’s use of the Covered Services to store or process CJI, and that any other prerequisites established or required by either the FBI, state CSA, or Customer is fulfilled prior to introducing CJI into the Covered Services.
   5. Customer acknowledges that it will keep records of any Covered Entity to which you provide CJIS State Agreements or other CJIS-related documentation it obtains from the state CSA and shall make such records available to Microsoft promptly upon request.
2. If there is any conflict between any provision in this Section and any provision in the agreement, this Section shall control.

DFARS 252.204-7012. Microsoft Azure Government and GCC High both comply with DFARS 252.204-7012 subsections c-g except that for subsection c, Microsoft will report security incidents to Customer in accordance with and as described in the Microsoft Online Services Terms and Customer will be responsible for reporting the incident to DOD, if required, through http://dibnet.dod.mil.  In addition, it is the Customer’s responsibility, not Microsoft’s, to obtain a medium assurance certificate. Customer who intends to purchase DFARS compliant Services from Microsoft needs to provide additional information here:  https://azuregov.microsoft.com/regulationcollection Miscellaneous.

1. 1.  Notices. You must send notices by mail, return receipt requested, to the address below.

Notices should be sent to:

Microsoft Corporation Volume Licensing Group One Microsoft Way Redmond, WA 98052 USA Via Facsimile: (425) 936-7329

1. 1. You agree to receive electronic notices from us, which will be sent by email to the account administrator(s) named for your Subscription.  Notices are effective on the date on the return receipt or, for email, when sent.  You are responsible for ensuring that the email address for the account administrator(s) named for your Subscription is accurate and current.  Any email notice that we send to that email address will be effective when sent, whether or not you actually receive the email.
   2. Assignment. You may not assign this agreement either in whole or in part.  Microsoft may transfer this agreement without your consent, but only to one of Microsoft’s Affiliates.  Any prohibited assignment is void.
   3. Severability. If any part of this agreement is held unenforceable, the rest remains in full force and effect.
   4. Waiver. Failure to enforce any provision of this agreement will not constitute a waiver.
   5. No agency. This agreement does not create an agency, partnership, or joint venture. 
   6. No third-party beneficiaries. There are no third-party beneficiaries to this agreement.
   7. Use of contractors. Microsoft may use contractors to perform services, but will be responsible for their performance, subject to the terms of this agreement.
   8. Microsoft as an independent contractor. The parties are independent contractors.  Customer and Microsoft each may develop products independently without using the other’s confidential information.
   9. Agreement not exclusive. Customer is free to enter into agreements to license, use or promote non-Microsoft products or services.
   10. Applicable law and venue. This agreement is governed by Washington law, without regard to its conflict of laws principles.  Any action to enforce this agreement must be brought in the State of Washington.  This choice of jurisdiction does not prevent either party from seeking injunctive relief in any appropriate jurisdiction with respect to violation of intellectual property rights.
   11. Entire agreement. This agreement is the entire agreement concerning its subject matter and supersedes any prior or concurrent communications.  In the case of a conflict between any documents in this agreement that is not expressly resolved in those documents, their terms will control in the following order of descending priority: (1) this agreement, (2) the Product Terms, (3) the Online Services Terms, and (4) any other documents in this agreement.
   12. Survival. All provisions survive termination of this agreement except those requiring performance only during the term of the agreement.
   13. U.S. export jurisdiction. Products are subject to U.S. export jurisdiction.  Customer must comply with all applicable international and national laws, including the U.S. Export Administration Regulations, the International Traffic in Arms Regulations, and end-user, end-use and destination restrictions issued by U.S. and other governments related to Microsoft products, services, and technologies.
   14. Force majeure. Neither party will be liable for any failure in performance due to causes beyond that party’s reasonable control (such as fire, explosion, power blackout, earthquake, flood, severe storms, strike, embargo, labor disputes, acts of civil or military authority, war, terrorism (including cyber terrorism), acts of God, acts or omissions of Internet traffic carriers, actions or omissions of regulatory or governmental bodies (including the passage of laws or regulations or other acts of government that impact the delivery of Online Services)).  This Section will not, however, apply to your payment obligations under this agreement.
   15. Contracting authority. If you are an individual accepting these terms on behalf of an entity, you represent that you have the legal authority to enter into this agreement on that entity’s behalf.

Definitions. Any reference in this agreement to “day” will be a calendar day. “Acceptable Use Policy” is set forth in the Online Services Terms. “Affiliate” means any legal entity that a party owns, that owns a party, or that is under common ownership with a party.  “Ownership” means, for purposes of this definition, control of more than a 50% interest in an entity. “Azure Government Services” means one or more of the services or features Microsoft makes available to Enrolled Affiliate under this Enrollment and identified at http://azure.microsoft.com/en-us/regions/#services, which are Government Community Cloud Services. “CJI” means Criminal Justice Information, as defined in FBI CJIS Policy. “CJIS Covered State” means a state, as shown at https://www.microsoft.com/en-us/TrustCenter/Compliance/CJISor another site Microsoft may provide, with which Microsoft and the applicable state have entered into a CJIS State Agreement. “CJIS Covered Service” means, for any state-specific CJIS Amendment, the Microsoft Online Services that are listed as such in that amendment, and for which Microsoft’s CJIS representations apply. “CJIS State Agreement” means an agreement between Microsoft and a Covered State’s CSA (or another entity to which the CSA has delegated its duties) containing terms and conditions under which the Covered State and Microsoft will comply with the applicable requirements of the CJIS Policy.  Each CJIS State Agreement is consistent with the applicable state-specific CJIS Amendment, and includes Microsoft CJIS Security Addendum Certifications.  For clarity, a CJIS State Agreement may be titled “CJIS Information Agreement” or “CJIS Management Agreement.” “Community” means the community consisting of one or more of the following: (1) a Government, (2) a Customer using eligible Government Community Cloud Services to provide solutions to a Government or a qualified member of the Community, or (3) a Customer with Customer Data that is subject to Government regulations for which the Customer determines, and Microsoft agrees, that the use of Government Community Cloud Services is appropriate to meet the Customer’s regulatory requirements.  Membership in the Community is ultimately at Microsoft’s discretion, which may vary by Government Community Cloud Service. “Compliance Trust Center Page” means the compliance page of the Microsoft Trust Center, published by Microsoft at https://www.microsoft.com/en-us/TrustCenter/Compliance/default.aspxor a successor site Microsoft later identifies. “Consumption Offering”, “Commitment Offering”, or “Limited Offering” describe categories of Subscription offers and are defined in Section 2. “Covered Entity” means any State/Local Entity in a Covered State with which you maintain a contractual relationship whose use of CJIS Covered Services is subject to CJIS Policy. “CSA” means, for each CJIS Covered State, that state’s CJIS Systems Agency, as defined in FBI CJIS Policy. “Customer Data” is defined in the Online Services Terms. “End User” means any person you permit to access Customer Data hosted in the Online Services or otherwise use the Online Services. With respect to ITAR Covered Services, End User means an individual that accesses the ITAR Covered Services. With respect to IRS 1075 Covered Services, End User means an individual that accesses the IRS 1075 Covered Services. “Federal Agency” means a bureau, office, agency, department or other entity of the United States Government. “Fix” means a Product fix, modifications or enhancements, or their derivatives, that Microsoft either releases generally (such as Product service packs) or provides to Customer to address a specific issue. “FTI” is defined as in IRS Publication 1075. “Government” means a Federal Agency, State/Local Entity, or Tribal Entity acting in its governmental capacity. “Government Community Cloud Services” means Microsoft Online Services that are provisioned in Microsoft’s multi-tenant data centers for exclusive use by or for the Community and offered in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-145.  Notwithstanding that other Microsoft Online Services that are Government Community Cloud Services are designated as such in the Use Rights and Product Terms, Office 365 GCC High is hereby deemed to be a Government Community Cloud Service, for purposes of this Amendment. The term “Government Community Cloud Services” also includes, without limitation, Azure Government Services and Enterprise Mobility + Security GCC High. “IRS 1075 Covered Services” means Azure Government services listed as being in the scope for IRS 1075 at http://azure.microsoft.com/en-us/support/trust-center/compliance/irs1075/or its successor site. Without limitation, IRS 1075 Covered Services do not include any other separately branded Online Services. “IRS Publication 1075” means the Internal Revenue Services (IRS) Publication 1075 effective January 1, 2014, including updates (if any) released by the IRS during the term of the Enrollment. “ITAR” means the International Traffic in Arms Regulations, found at 22 C.F.R. §§ 120 – 130. “ITAR-controlled data” means Customer Data that is regulated by the ITAR as Defense Articles or Defense Services. “ITAR Covered Services” means, solely with respect to this Amendment, the (i) Office 365 GCC High services; and (ii) Azure Government services, listed as being in the scope for the ITAR at https://www.microsoft.com/en-us/TrustCenter/Compliance/itaror its successor site. “Licensing Site” means http://www.microsoft.com/licensing/contractsor a successor site. “Microsoft Trust Center Compliance Page” is Microsoft’s website accessible at https://www.microsoft.com/en-us/TrustCenter/Compliance/or a successor upon which Microsoft provides information about how each of its Online Services complies with, and/or is certified under, various government and industry control standards. “Non-Microsoft Product” is defined in the Online Services Terms. “Office 365 Service Descriptions” means, collectively and solely for this Amendment, the Service Descriptions for Office 365 High, published by Microsoft at https://technet.microsoft.com/en-us/library/mt774581.aspx(for the product superset, Office 365 US Government) and https://technet.microsoft.com/en-us/library/mt774968.aspx(for the product subset, Office 365 GCC High), or at successor sites Microsoft later identifies. “Office 365 US Government” means the Government Community Cloud Service described by the Office 365 Service Descriptions “Office 365 GCC High” means the Government Community Cloud Service described by the Office 365 Service Descriptions. “Online Services” means any of the Microsoft-hosted online services subscribed to by Customer under this agreement, including Microsoft Dynamics Online Services, Office 365 Services, Microsoft Azure Services, or Microsoft Intune Online Services. “Online Services Terms” means the additional terms that apply to Customer’s use of Online Services published on the Licensing Site and updated from time to time. “Previews” means preview, beta, or other pre-release version or feature of the Online Services or Software offered by Microsoft to obtain customer feedback. “Product” means all products identified in the Product Terms, such as all Software, Online Services and other web-based services, including Previews. “Product Terms” means the document that provides information about Microsoft Products and Professional Services available through volume licensing.  The Product Terms document is published on the Licensing Site and is updated from time to time. “Professional Services” means Product support services and Microsoft consulting services provided to Customer under this agreement.  “Professional Services” does not include Online Services. “Reseller” means an entity authorized by Microsoft to resell Software licenses and Online Service Subscriptions under this program and engaged by you to provide assistance with your Subscription. “SLA” means Service Level Agreement, which specifies the minimum service level for the Online Services and is published on the Licensing Site. “Software” means licensed copies of Microsoft software identified on the Product Terms. Software does not include Online Services, but Software may be a part of an Online Service. “State/Local Entity” means (1) any agency of a state or local government in the United States, or (2) any United States county, borough, commonwealth, city, municipality, town, township, special purpose district, or other similar type of governmental instrumentality established by the laws of Customer’s state and located within Customer’s state’ jurisdiction and geographic boundaries. “Subscription” means an enrollment for Online Services for a defined Term as established by your Reseller. “Technical Data” has the meaning provided in 22 C.F.R. § 120. “Term” means the duration of a Subscription (e.g., 30 days or 12 months). “Tribal Entity” means a federally-recognized tribal entity performing tribal governmental functions and eligible for funding and services from the U.S. Department of Interior by virtue of its status as an Indian tribe. “Use Rights” means the use rights or terms of service for each Product published on the Licensing Site and updated from time to time.  The Use Rights supersede the terms of any end user license agreement that accompanies a Product.  The Use Rights for Software are published by Microsoft in the Product Terms.  The Use Rights for Online Services are published in the Online Services Terms. ATTACHMENT 1 Internal Revenue Services Federal Tax Information Safeguarding Addendum In performance of its obligations to deliver the IRS 1075 Covered Services under the Agreement, Microsoft agrees to comply with the requirements contained in Exhibit 7 (Safeguarding Contract Language for Technology Services) from IRS Publication 1075, as set forth below. For purposes of this Attachment 1, “contractor” refers to Microsoft, “agency” refers to Customer, and “contract” refers to the Customer Agreement, inclusive of the Amendment.

1. PERFORMANCE

In performance of this contract, the contractor agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements: (1)   All work will be performed under the supervision of contractor or the contractor’s responsible employees. (2)   Any return or return information made available shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this Addendum. Disclosure to anyone other than an officer or employee of the contractor will be prohibited. (3)   All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material. (4)   The contractor certifies that the data processed during the performance of this contract will be completely purged from all data storage components of their computer facility, and no output will be retained by contractor at the time the work is completed. If immediate purging of all data storage components is not possible, contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures. (5)   Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the agency or his or her designee. When this is not possible, contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts, and will provide the agency or his or her designee with a statement containing the date of destruction, description of material destroyed, and the method used. (6)   All computer systems receiving, processing, storing, or transmitting FTI must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to Federal Tax Information. (7)   No work involving Federal Tax Information furnished under this contract will be subcontracted without prior written approval of the IRS. (8)   The contractor will maintain a list of employees authorized access. Such list will be provided to the Company and, upon request, to the IRS reviewing office. (9)   The agency will have the right to void the contract if the contractor fails to provide the safeguards described above.

1. CRIMINAL/CIVIL SANCTIONS

(1)   Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as 5 years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRCs 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1. (2)   Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee [United States for Federal employees] in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431. (3)   Additionally, it is incumbent upon the contractor to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000. (4)   Granting a contractor access to FTI must be preceded by certifying that each individual understands the agency’s security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the agency’s files for review. As part of the certification and at least annually afterwards, contractors must be advised of the provisions of IRCs 7431, 7213, and 7213A (see Exhibit 4, Sanctions for Unauthorized Disclosure, and Exhibit 5, Civil Damages for Unauthorized Disclosure). The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. (See Section 10) For both the initial certification and the annual certification, the contractor must sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements. III. INSPECTION The IRS and the Agency shall have the right to send its officers and employees into the offices and plants of the contractor for inspection of the facilities and operations provided for the performance of any work under this contract. On the basis of such inspection, specific measures may be required in cases where the contractor is found to be noncompliant with contract safeguards.