Effective date:2024-06-30
This eSurfing Cloud Vulnerability Scanner Service Agreement (hereinafter referred to as "the Agreement") is made between the user (“Party A” or “Customer”) and China Telecom (“Party B”). Party B agrees to provide eSurfing Cloud Vulnerability Scanner services to Party A through the eSurfing Cloud Website (www.esurfingcloud.com, hereinafter referred to as “the Site” or “eSurfing Cloud”) as stipulated in this Agreement. Party A agrees to use these services in accordance with this Agreement.
Before using the eSurfing Cloud Vulnerability Scanner services, Party A should carefully read, understand, and agree to accept and comply with this Agreement. By clicking to agree or by using the eSurfing Cloud Vulnerability Scanner services in any manner, Party A agrees to and accepts all the terms of this Agreement, which then constitutes a binding legal document between Party A and Party B. If Party A does not agree to this Agreement, please do not use the eSurfing Cloud Vulnerability Scanner services.
Article 1. Product and Service Description
1.1 According to this Agreement, Party B will provide the eSurfing Cloud Vulnerability Scanner service (“the Service”) to the Customer, which is a multifunctional Vulnerability Scannerning product designed for eSurfing Cloud customers. This includes security Vulnerability Scannerning for network hosts and web applications, as well as security configuration verification functions. This product efficiently and comprehensively detects various vulnerability risks in the network, has an extensive knowledge base of vulnerabilities and configurations and offers professional and effective security analysis and remediation recommendations.
Article 2. Service Content
2.1 Party B provides eSurfing Cloud Vulnerability Scanner services to Party A as agreed in this Agreement. The specific content of the Service shall be based on the services displayed on the Website and actually provided by Party B upon Party A’s application. Party B reserves the right to continuously update the service content.
2.2 Service Prerequisites: To use the Service, Party A shall first meet all of the following conditions:
2.2.1 Agree to and accept the eSurfing Cloud Website User Agreement, successfully register as a user of the Site and maintain a legal and valid user account as at the time of signing this Agreement and throughout the performance of this Agreement;
2.2.2 Agree to and accept the terms of this Agreement;
2.2.3 Agree to and accept the eSurfing Cloud Service Agreement and eSurfing Cloud Privacy Policy Statement;
2.2.4 Subscribe to and use the Service in accordance with the Service Rules of the Site;
2.2.5 At the time of signing and during the performance of this Agreement, all the qualifications or government approval procedures required for legal operations have been obtained and maintained in accordance with the relevant national or regional regulations and the relevant qualification documents have been submitted in accordance with this Agreement to Party B and approved by Party B.
2.2.6 The relevant licenses or approvals that Party A shall obtain and maintain include but are not limited to the following:
2.2.6.1If Party A operates a website, it shall ensure that all the websites it operates have been licensed or approved by the relevant authorities of the relevant countries;
2.2.6.2If Party A provides non-commercial Internet information services, it shall go through the filing procedures of non-commercial websites and ensure that all the filing information submitted is true and valid and submit the updated information in the filing system in a timely manner if there is any change in the filing information;
2.2.6.3 If the website provides commercial Internet information services, Party A shall also obtain a commercial website license from the local communications administrative department;
2.2.6.4 If Party A provides electronic bulletin services such BBS, it must also conduct filing or obtain corresponding approval according to relevant laws and regulations;
2.2.6.5 If Party A operates an Internet game website, it shall obtain an Internet culture business permit in accordance with laws;
2.2.6.6 If Party A operates an Internet video website, it shall obtain an information network program license in accordance with laws;
2.2.6.7 If Party A engages in Internet information services such as news, publishing, education, medical care, pharmaceuticals, and medical devices, it shall be reviewed and approved by the relevant competent authorities in accordance with laws, administrative regulations and relevant state regulations. Party A shall obtain the approval by relevant competent authorities in accordance with laws before applying for business license or completing the filing procedures.
2.2.6.8 The above list does not exhaust all types of licenses or approvals required for commercial or non-commercial activities that Party A engages in. Party A shall obtain relevant licenses or approvals and shall comply with relevant national and local laws and regulations promulgated from time to time.
2.2.7 Other prerequisites for using the Service as stipulated in this Agreement.
Article 3. Service Charges
3.1 After carefully reading the Service Rules corresponding to the purchased service, Party A can purchase the required service online through the Site according to its own needs, or the account manager can assist in activating it at the service console. After the service is activated, Party A can log in to the Site and complete the relevant configuration and operation of the Service in the management console.
3.2 If there is any inconsistency in the main text of this Agreement, attachments, Service Rules, service descriptions, price descriptions, confirmation terms on the order page, etc. on the relevant pages of the website, they shall be appliable in the following order of precedence: (1) service descriptions, price descriptions and other ordering pages on the relevant webpages on the Site, (2) Service Rules, (3) the main text of this Agreement, and (4) the attachments to this Agreement.
Article 4. Service Charges
4.1 The eSurfing Cloud Vulnerability Scanner service supports monthly/annual billing methods. Customers should pay the service fees to Party B as prompted on the order page and agreed in this Agreement. Party B reserves the right to update the prices and payment methods at any time and the updates will be announced on the eSurfing Cloud website.
4.2 Resource Expiry/Deletion and Payment Default Handling
4.2.1. For fixed monthly/annual subscriptions, if the Customer intends to continue its use of the Service after the expiration of the current service period, it shall renew and pay for the subscription in a timely manner. Otherwise, Party B will suspend the Customer’s permissions to perform operations for the instance and freeze the resources on the instance when the service period expires.
4.2.2. After the expiration of the service period or the early termination of the service period (including early termination agreed upon by both parties or due to other reasons, etc.). Party B will, following the expiration of the service period, retain the resources of the cloud server instance and continue to store the Customer’s data for fifteen (15) days (i.e., starting from the day the moment the Customer’s permissions to perform operations is suspended and ending on the same moment on the fifteenth (15th) day thereafter). If the Customer fails to renew and pay for the subscription within the said period of fifteen (15) days, Party B shall have the right to immediately release the resources of the instance occupied by the Customer and delete the instance data thereon upon the expiration of such period.
4.2.3. For the avoidance of doubt, "instance resources" mentioned here refer to a series of aggregated data including underlying resources, source library information, or target library information and customer data. "Instance data" refers to data including but not limited to deployed machines, specifications, and validity periods.
Article 5. Specifications of Service
5.1. The Customer understands and agrees that the use of the Service is the result of its independent and prudent judgment, and that the Customer shall be
responsible for the results of its own judgment and actions
5.2. After completing the purchase process, Party B shall activate and provide Vulnerability Scanner for the Customer. Once activated, the Customer can log into the Site and perform configurations and operations for Vulnerability Scanner in the management console.
5.3. Party A shall provide necessary technical parameters to Party B, including but not limited to IP address ranges and corresponding application types, server-related parameters, network structure, and network resources, and actively cooperate with Party B to complete the activation, commissioning, and maintenance of the Vulnerability Scanner service to ensure its normal operation.
5.4. Party A understands and acknowledges that after the Service is activated, for technical upgrades, service system upgrades, or adjustments due to business strategies or in cooperation with major national technical and regulatory policy changes, eSurfing Cloud does not guarantee the permanent provision of a particular service and has the right to update the form, specifications, or other aspects of the services provided (such as service prices and billing models). Party B will make its best effort to notify the Customer in advance through announcements on the Site, internal messages, emails, or SMS in one or more ways before terminating such services or making such changes.
5.5. Party A understands and agrees that when using this Service, it is responsible for performing operations to complete data backups and bear any losses and consequences caused by data loss, omission, damage, or leakage due to its own reasons. Party A understands and agrees that Party B is not liable for this.
5.6. Party A is responsible for its own operations.
5.7. If Party A uses Elastic Cloud Server, Elastic Volume Service and other eSurfing Cloud services which is necessary while using eSurfing Cloud Vulnerability Scanner (unless otherwise agreed by both parties), Party A shall pay the service fees according to the corresponding service fee standards and comply with the respective service terms.
5.8. Party A understands and agrees that the Service requires Vulnerability Scannerning tests on agreed websites, hosts and other assets, collecting necessary data for analysis and providing remediation suggestions. Before using the Service, Party A shall ensure that it has read and fully understood all the content and details of the Vulnerability Scannerning service. Party A shall carefully read the Vulnerability Scannerning service guidelines and instructions, independently determine the suitability of the Vulnerability Scannerning service and operate according to the relevant operational guidelines.
5.9. When Party A conducts scanning and other operations on the specified host/Web service (hereinafter referred to as “the target asset”) through the Vulnerability Scanner service, it shall ensure it has the legal rights to scan and detect the target assets, and that the target assets are owned by Party A or authorized accordingly. Party A shall bear all consequences and responsibilities arising from its violation of the aforementioned commitments or relevant legal provisions, and Party B has the right to immediately stop providing related tools and services.
5.10. Party A understands and agrees that Vulnerability Scannerning will conduct scanning and detection on all ports of the target asset. Party A agrees to authorize Party B to collect and use its information, including usernames and passwords for logging into websites or hosts for the purpose of the Service.
5.11. Party A authorizes Party B to log into the target assets using the authentication information provided by Party A, collect security feature information related to system accounts, operating system versions, software versions, processes, ports and system logs for relevant vulnerability analysis or configuration verification.
5.12. During Vulnerability Scannerning on the target assets, a series of probing data packets will be sent. These probing data packets may be identified as harmful traffic by other security services within eSurfing Cloud, third-party security services and other Internet Service Providers (ISPs). Party A shall adopt a cautious and necessary principle when probing the target assets, minimizing the impact on other services and eSurfing Cloud infrastructure. eSurfing Cloud reserves the right to limit or terminate the Service based on identified probing traffic conditions or complaints received if Party A's usage exceeds reasonable limits.
5.13. Party A understands and agrees that although the Service is designed to minimize the impact on the target system being scanned. Due to the design of some systems, the probing data packets may cause these systems to experience denial of service or reboot during scanning.
5.13.1. Party B recommends that if the target asset is a primary-standby environment system, the scanning should be conducted in the order of standby first, then primary. The system administrator, network administrator and security administrator shall confirm and exclude devices that are prone to problems, or back up the virtual system and conduct system scanning in the backup.
5.13.2. If there is no backup environment, it is recommended to scan the target assets during non-service hours or business downtime. The scanning process shall involve system administrators, network administrators and relevant business personnel to promptly address any unexpected issues.
Article 6. User Service Warranty
6.1. Party B provides Party A with customer service via the service hotline +852 3100 0000.
6.2. Party B shall provide 7 days x 24 hours customer service to Party A.
Article 7. Technical Support Warranty
7.1. After Party B accepts handling of Party A’s fault or handling of Party A’s non-fault , Party B will provide Party A with technical support warranty according to the specific situation and Party A’s needs. The service hours of Party B’s engineers are 7 days x 24 hours.
Article 8. Rights and Obligations of Party A
8.1. Party A has the right to use the Service in accordance with this Agreement and obtain technical support and after-sales service from Party B.
8.2. Party A understands and agrees that for the security of Party A’s data and system, when Party A requires Party B’s engineers to directly operate its Services, Party A should authorize it by email, work order, telephone and other means. Party A shall designate a single contact person as the authorizer (maintainer) who shall authorize Party B when necessary, which means that only the authorized person has the right to require Party B’s engineers to operate its Services. Party B is only responsible for the operation and maintenance of the underlying parts below the operating system. The operating system and the parts above it (such as the applications installed by Party A on the system) are the responsibility of Party A. In addition, during the period of authorization, if Party A fails to communicate with Party B’s engineers and conducts operations on its own, the business unavailability and other risks resulting from such failure shall be borne by Party A.
8.3. If Party A violates any of the warranties in this Agreement, the eSurfing Cloud Website User Agreement and the eSurfing Cloud Service Agreement, including but not limited to the following circumstances, Party A shall bear the corresponding liability for breach of contract:
8.3.1. Where Party A does not have all the qualifications and permits required to carry out business and perform relevant procedures when signing this Agreement, or loses all or part of its qualifications and permits during the validity period of this Agreement, Party B has the right to suspend the provision of cloud business services and require Party A to make corrections within the time limit. If Party A fails to make corrections within the time limit, Party B has the right to terminate this Agreement without assuming any liability. Party A shall bear the liability for breach of contract and compensate Party B for the corresponding losses;
8.3.2. Where Party A uses the Service to upload, download, store and publish content that violates laws and regulations, departmental regulations or national policies, and information that infringes on the legitimate rights and interests of others and/or other information or content that is harmful to social order, public security, and public morals;
8.3.3. Where Party A carries out fraudulent and misleading behaviors such as gambling with prizes and gambling games, or conducts “private servers", "plug-ins" and other internet activities that infringe on the intellectual property rights or other legitimate rights and interests of others;
8.3.4. Where Party A conducts malicious scanning, illegal intrusion into the system, illegal acquisition of data and other behaviors that damage or attempt to damage network security;
8.3.5. Where Party A runs irrelevant programs or intentionally writes malicious codes, causing a large amount of server memory, CPU or network bandwidth resources being occupied;
8.3.6. Where Party A engages in any activities including but not limited to "DNS resolution", "security services", "domain name proxy", "reverse proxy", etc. that may cause users to frequently suffer attacks (including but not limited to DDoS attacks), thereby affecting the eSurfing Cloud service platform or others;
8.3.7. Party A understands and fully acknowledges that although Party B has established (and will continue to improve according to technological development) necessary technical measures to defend against computer viruses, network intrusions and attacks (including but not limited to DDoS) and other matters that endanger network security or (hereinafter collectively referred to as “such Behaviors”), however, in view of the limitations, relativity and unpredictability of network security technology and the unpredictability of such Behavior, if Party A's account experiences such Behavior, which does harm to Party B or Party B's network or server (including but not limited to local, foreign and international networks, servers, etc.), or cause harm, or affects the smooth communication between Party B and the Internet or between Party B and specific networks, servers, and Party B's internal communications. Party B shall have the right to decide to suspend or terminate the Service. If a major network accident is caused to Party B for reasons attributable to Party A, Party B will reserve the right to claim compensation from Party A. If a crime is involved, Party A shall bear criminal responsibility according to the laws.
8.3.8. If Party B terminates the provision of the Service to Party A due to reasons set out in the above clauses (other than due to breach by Party A), Party B will calculate the service fee based on the actual number of days used by Party A and return the remaining balance (if any) to Party A's eSurfing Cloud account.
8.4. Party A shall be responsible for the integrity and confidentiality of the data stored on the eSurfing Cloud platform and the codes and passwords for accessing and managing various products and services on the eSurfing Cloud platform and shall take necessary and effective confidentiality and security protection measures, including but not limited to standardizing data access and account usage rights management, setting strong passwords and changing them regularly. Party A shall bear the losses and consequences caused by the loss or leakage of the above-mentioned data, codes, passwords, and alike due to improper maintenance or improper confidentiality by Party A.
8.5. If services in Mainland China are involved, Party A must keep the access log records of its website in accordance with the provisions of the Cybersecurity Law, the Administrative Measures on Internet Information Services and other laws and regulations, including the content of the published information, the time of publication, and the Internet Protocol address (IP), domain names, and alike, which shall be provided to the relevant state agency when it inquires according to the law. Party A shall bear the corresponding legal liabilities arising from failure to keep relevant records as required.
Article 9. Term and Termination of Agreement
9.1. This Agreement becomes effective from the date when Party A successfully purchases or applies for activation of the product, and terminates when the subscription service period of Party A expires, unless otherwise agreed by the Parties.
9.2. This Agreement may be terminated earlier if the Parties reach a consensus.
9.3. Party B has the right to terminate this Agreement under the following circumstances:
9.3.1. Party B discovers on its own or based on information from relevant departments, complaints from rights holders, etc., that the assets added or scanned by Party A have not obtained legal authorization.
9.3.2. According to the requirements of laws and regulations or government agencies;
9.3.3. Where Party B believes that continuing to provide services to Party A will cause huge economic or technical burdens or major security risks to Party B;
9.3.4. Due to any changes in laws or policies, it is not practical for Party B to continue to provide services to Party A;
9.3.5. Where Party A fails to pay relevant fees in full and on time;
9.3.6. Where Party A violates the eSurfing Cloud Website User Agreement, the eSurfing Cloud Service Agreement, Legal Notice of the Website of eSurfing Cloud or the eSurfing Cloud Privacy Policy Statement of the Site;
9.3.7. Where Party A no longer meets any of the Prerequisites for the Service set out in Article 2.2 herein; or
9.3.8. Where Party A violates other terms of this Agreement.
9.4. If Party B terminates this Agreement due to Party A's breach, Party B shall, without prejudice to its other rights and remedies under this Agreement or the law, have the right to withhold the remaining balance (if any) in Party A's eSurfing Cloud account to offset any losses and damages caused to Party B by Party A's breach.
9.5. Party B may terminate the Service 30 days in advance by publishing an announcement on the Site, or by sending Party A a within the Site notice or a written notice. At which time, Party B shall return the amount paid by Party A but not consumed by Party (without interest) to Party A's eSurfing cloud account.
9.6. If any clause in this Agreement is completely or partially invalid or unenforceable for any reason, the remaining clauses in this Agreement shall still be valid and binding.
Article 10. Others
10.1. The termination of this Agreement will not affect the effectiveness of the eSurfing Cloud Website User Agreement, eSurfing Cloud Service Agreement, and eSurfing Cloud Privacy Policy Statement between Party A and Party B. If the eSurfing Cloud Website User Agreement, eSurfing Cloud Service Agreement, or eSurfing Cloud Privacy Policy Statement between Party A and Party B is terminated, this Agreement will be automatically terminated.
10.2. For matters not stipulated in this Agreement, the Parties shall abide by the provisions set out in the eSurfing Cloud Website User Agreement, eSurfing Cloud Service Agreement, and eSurfing Cloud Privacy Policy Statement. If there is any conflict between this Agreement, the eSurfing Cloud Website User Agreement, eSurfing Cloud Service Agreement and eSurfing Cloud Privacy Policy Statement on the same matter, this Agreement shall prevail.
10.3. The latest version of the eSurfing Cloud Service Agreement can be found via the following hyperlink:
https://www.esurfingcloud.com/portal/protocol/20685742
The latest version of the eSurfing Cloud Website User Agreement can be found via the following hyperlink:
https://www.esurfingcloud.com/portal/protocol/10144340
The latest version of the eSurfing Cloud Privacy Policy Statement can be found via the following hyperlink:
https://www.esurfingcloud.com/portal/protocol/10139040
10.4. In the event of any conflict or inconsistency between the English and the Chinese versions of this Agreement, the English version shall prevail. If any part of the Chinese version is unclear, reference shall be made to the English version.
Appendix
eSurfing Cloud Vulnerability Scanner Service Level Agreement
Effective date:2024-06-30
Article 1. General Provisions
China Telecom (hereinafter referred to as "Party B", (hyperlink: https://www.esurfingcloud.com) provides Vulnerability Scanner Service (hereinafter referred to as this "Service") to the user (also referred to as the "Customer" or "Party A", together with the Party B or China Telecom referred to the "Parties") in accordance with the provisions of this Service Level Agreement (also known as "SLA") and its operating rules as may be amended from time to time. Party B reserves the right to modify the terms of the SLA at any time.
Article 2. Service Commitment
Party B guarantees that the service availability of the Vulnerability Scanner instance will be no less than 99.95% for each service period.
Article 3. Service Description
A Service Cycle is defined as a calendar month. Any duration less than a calendar month shall not constitute a complete Service Cycle. Unless otherwise specified, one Service Cycle refers to the total number of days in the service period multiplied by 24 (hours) multiplied by 60 (minutes).
Single Instance Service Unavailability refers to when the logs in the Vulnerability Scanner system show that the service is continuously inaccessible for more than one minute due to reasons attributable to eSurfing Cloud, and the resources of the Vulnerability Scanner service cannot be used. Unavailability of less than one minute is not counted.
Service Availability Rate for a single container security instance for each Service Cycle can be calculated by referring to the following formula:
Service Availability Rate for a given Service Cycle = (Total Minutes of Single Instance Service in a Service Cycle – Unavailable Minutes of Single Instance Service in a Service Cycle) / Total Minutes in a Service Cycle * 100%.
Article 4. Service Credit
4.1. Credit method
In the event Party B does not meet the commitment on the Service Availability Rate specified in this SLA, Party A is entitled to claim Service Credits as specified in the SLA, which shall be the sole and exclusive compensation for any performance or availability issues for the Service under this SLA.
Service Availability | Compensated Duration (Minutes) |
99.00% <= SLA < 99.95% | 4,320 |
95.00% <= SLA < 99.00% | 12,960 |
SLA < 95.00% | 43,200 |
4.2. Time limit for claims
(1). Party A may submit a Service Credit claim through the ticket system of the corresponding account after the fifth (5th) business day of the month following the end of the Service Cycle during which the service failed to meet the committed availability. After Party A submits a compensation claim, Party B will conduct the necessary verification. In the event of a dispute between the parties regarding the calculation of service availability for the service month, both parties agree that the final determination will be based on Party B's backend records.
(2). ) The latest time for Party A to submit a compensation claim shall not exceed sixty (60) calendar days after the end of the service month that did not meet the standard. If Party A fails to submit a compensation claim within sixty (60) days after the end of the Service Cycle that did not meet the standard, or if Party A submits a compensation claim after sixty (60) days following the end of the Service Cycle that did not meet the standard, or if Party A submits the claim in a manner not specified in this agreement, it will be deemed that Party A has automatically waived the right to claim compensation and any other rights against Party B. Party B has the right not to process the compensation claim and will not provide any compensation or reimbursement to Party A.
Article 5. Force Majeure and Exemption
Service Unavailability does not include the unavailability of the Vulnerability Scanner service resulting from any of the following activities:
(1) Scheduled system maintenance, including cutover, repair, upgrade, or simulated failure exercises, for which Party B has provided prior notice to Party A;
(2) Non-Party B network failures, device faults, or configuration changes;
(3) Unavailability caused by Party A's application or installation activities;
(4) Party A's application programs attacked by hackers;
(5) Operations authorized by Party A or any Party A's misjudgment in operations;
(6) Loss or disclosure of data, including passphrases and passwords, due to improper maintenance or confidentiality by Party A;
(7) Unavailability caused by Party A's self-upgrading of the operating system;
(8) Caused by operating system vulnerabilities;
(9) The service of Party A is suspended or terminated at the request of regulatory authorities in accordance with laws and regulations, or in accordance with the agreement and the policies referenced in the agreement;
(10) Unavailability caused by Party A's failure to use the service in accordance with the service usage documentation or operational guidelines (such as stopping or restarting the Vulnerability Scanner system through the console, API, or other control methods);
(11) Unavailability caused by other reasons not attributable to Party B;
(12) Caused by force majeure and unexpected events. Force majeure and unexpected events refer to objective events that cannot be foreseen, overcome, or avoided and have a significant impact on one or both parties, including but not limited to natural disasters such as floods, earthquakes, epidemics, and social events such as wars, strikes, riots, government actions, interruption of telecommunications trunk lines, hacker attacks, network congestion, telecommunications department technical adjustments and government regulations.
When Party B is unable to fulfill its obligations due to the above reasons, Party B shall not be held responsible. If either party fails to perform this agreement in whole or in part due to force majeure, upon written notification to the other party, the affected terms of this contract shall be exempted from liability for the duration and to the extent of the impact. Once the cause for exemption is corrected and remedied, both parties agree to make best efforts to resume the performance of this contract.