OneBridge Solutions, Inc. - Windows Azure Agreement This Windows Azure Agreement is between the party accepting this agreement and OneBridge Solutions Inc. ("OneBridge") and consists of the below terms and conditions, the Acceptable Use Policy, the Services Terms, the SLAs, and the pricing and related terms listed on the Portal for your Subscription. It is effective on the date we provide you with confirmation of your first order. Key terms are defined in Section 10. 1. Use of Services. a. Right to use. We grant you the right to access and use the Services and to install and use Software included with your Subscription, as further described in this agreement. You may create and maintain a Customer Solution, which you may permit third parties to access and use provided the Customer Solution adds material functionality to the Services and is not primarily a substitute for the Services. We reserve all other rights. b. Manner of use. You may use the Product only in accordance with this agreement. You may not reverse engineer, decompile, disassemble or work around technical limitations in the Product, except where applicable law permits it despite this limitation. You may not disable, tamper with or otherwise attempt to circumvent any billing mechanism that meters your use of the Product. You may not rent, lease, lend, resell, transfer, or sublicense any Product to or for third parties. c. End Users. You control access by your End Users, and you are responsible for their use of the Product in accordance with this agreement. For example, you will ensure End Users comply with the Acceptable Use Policy. d. Customer Data. You are solely responsible for the content of your Customer Data. You will secure rights in Customer Data necessary for us to provide you the Services without violating the rights of any third party, or otherwise obligating Microsoft to you or to any third party. Microsoft does not and will not accept any obligations set forth in any separate license or other agreement that may apply to Customer Data or your use of the Products. e. Non‐Microsoft Products. i. We may make Non‐Microsoft Products available to you through the Portal or other means. The use of a Non‐ Microsoft Product will be governed by separate terms between you and the third party providing that Non‐ Microsoft Product. For your convenience, Microsoft may include charges for the Non‐Microsoft Product as part of your bill for the Services. Microsoft, however, assumes no responsibility or liability whatsoever for the Non‐ Microsoft Product. ii. You are solely responsible for any Non‐Microsoft Product that you install or use with the Services. We are not a party to and are not bound by any terms governing your use of Non‐Microsoft Product. iii. If you install or use any Non‐Microsoft Product with the Services, then you, not Microsoft, direct and control the installation and use of it in the Services through your actions (for example, through your use of application programming interfaces and other technical means that are part of the Services). We will not run or make any copies of such Non‐Microsoft Product outside of our relationship with you. iv. If you install or use any Non‐Microsoft Product with the Services, you may not do so in any way that would subject our intellectual property or technology to obligations beyond those included in this agreement. f. Responsibility for your accounts. You are also responsible for maintaining the confidentiality of any non‐public authentication credentials associated with your use of the Services. You must promptly notify our customer support team about any possible misuse of your accounts or authentication credentials, or any security incident related to the Services. g. Updates. We may make changes to the Services from time to time. We will provide you with 12 months prior notice before removing any material feature or functionality (excluding Previews), unless security, legal or system performance considerations require an expedited removal. h. Preview releases. We may make available Previews. PREVIEWS ARE PROVIDED "AS‐IS," "WITH ALL FAULTS," AND "AS AVAILABLE," AND ARE EXCLUDED FROM THE SLAS AND LIMITED WARRANTY. Previews may be subject to reduced or different security and privacy commitments, as further explained in the Privacy Statement and any additional notices provided with the Preview. We may change or discontinue Previews at any time without notice. We also may choose not to release a Preview into "General Availability." 2. Security, privacy, and data protection. a. Security. We maintain appropriate technical and organizational measures, internal controls, and data security routines intended to protect Customer Data against accidental loss or change, unauthorized disclosure or access, or unlawful destruction. Current information on our security practices can be found at the Trust Center. b. Privacy and data location. We treat Customer Data in accordance with our Privacy Statement. Subject to any restrictions set forth in the Privacy Statement, we may transfer to, store, and process Customer Data in any country where we or our Affiliates or subcontractors have facilities used for Services. We are a data processor (or sub‐processor) acting on your behalf, and you appoint us to do these things with Customer Data in order to provide the Services to you. You will obtain any necessary consent from End Users or others whose personal information or other data you will be hosting in Services. c. Ownership of Customer Data. Except for Software we license to you, as between the parties, you retain all right, title and interest in and to Customer Data. We acquire no rights in Customer Data, other than the right to host Customer Data on Microsoft systems, including the right to use and reproduce Customer Data within Microsoft systems solely for such hosting purposes. d. Use of Customer Data. We will use Customer Data only to provide you the Services. This use may include troubleshooting to prevent, find and fix problems with the operation of the Services. It may also include improving features for finding and protecting against threats to users. We will not use Customer Data or derive information from it for any advertising or other commercial purposes without your consent. e. Third party requests. We will not disclose Customer Data to a third party (including law enforcement, other government entity, or civil litigant; excluding our subcontractors) except as you direct or unless required by law. Should a third party contact us with a demand for Customer Data, we will ask the third party to contact you directly and may provide your basic contact information to the third party. If compelled to disclose Customer Data to a third party, we will use commercially reasonable efforts to notify you in advance of a disclosure unless legally prohibited. You are responsible for responding to requests by a third party regarding your use of Services, such as a request to take down content under the Digital Millennium Copyright Act. f. Subcontractors. We may hire other companies to provide limited services on our behalf, such as customer support. Any such subcontractors will be permitted to obtain Customer Data only to deliver the services we have retained them to provide, and they are prohibited from using Customer Data for any other purpose. We remain responsible for our subcontractors' compliance with the obligations set forth in this agreement. g. Compliance with law. We will comply with all laws applicable to our provision of the Services, including applicable security breach notification laws, but not including any laws applicable to you or your industry that are not generally applicable to information technology services providers. You will comply with all laws applicable to your Customer Solution, Customer Data, and use of the Services, including any laws applicable to you or your industry. 3. Purchasing Services. a. Available Offers. The Portal provides pricing and related terms for available Subscription offers, which generally can be categorized as one or a combination of the following: i. Commitment Offering. You commit in advance to purchase a specific quantity of Services for use during a Term and pay upfront or on a periodic basis during the Term in advance of use. Additional or other usage (for example, usage beyond your commitment quantity) may be billed like a Consumption Offering. ii. Consumption Offering (also known as Pay‐As‐You‐Go). You pay based on actual usage in the preceding month with no upfront commitment. Payment is on a periodic basis in arrears. iii. Limited Offering. You receive a limited quantity of Services for a limited term without charge (for example, a free trial) or as part of another Microsoft offering (for example, MSDN). Provisions in this agreement with respect to pricing, cancellation fees, payment, and data retention may not apply. b. Ordering. By placing an order, you agree to the pricing and related terms for that Subscription offer. Unless otherwise specified in those terms, Services are offered on an "as available" basis and we make no guarantee of available capacity. You may place orders for your Affiliates under this agreement and grant your Affiliates administrative rights to manage Products, but Affiliates may not place orders under this agreement. If you grant any rights to Affiliates, such Affiliates shall be bound by this agreement and you agree to be jointly and severally liable for any actions of such Affiliates related to their use of the Products. c. Pricing and payment. Payments are due and must be made according to the pricing and related terms on the Portal for your Subscription. i. For Commitment Offerings, the price level may be based on the quantity you ordered. Some offers may permit you to modify the quantity ordered during the Term and your price level may be adjusted accordingly, but price level changes are not retroactive. During the Term, we will not increase prices for the commitment portion of your Subscription from those posted at the time your order is first placed, except for Previews or where prices are identified as temporary. All prices are subject to change at the beginning of any Subscription renewal. ii. For Consumption Offerings, pricing is subject to change at any time upon notice. d. Renewal. Renewal is subject to the renewal terms on the Portal for your Subscription. i. For Commitment Offerings, you may choose to have a Subscription automatically renew or terminate upon expiration of the Term. Automatic renewal is pre‐selected. You can change your selection at any time during the Term. If the existing Term is longer than one calendar month, we will provide you with written notice of the automatic renewal before the expiration of the Term. ii. For Consumption Offerings, the Subscription renews automatically at the end of every month until you terminate the Subscription. iii. For Limited Offerings, renewal may not be permitted. e. Taxes. Prices are exclusive of any taxes. You shall pay any applicable value added, goods and services, sales, or like taxes that are owed with respect to any order placed under this agreement and which we are permitted to collect from you under applicable law. You shall be responsible for any applicable stamp taxes and for all other taxes that you are legally obligated to pay including any taxes that arise on the provision of Product to your Affiliates. We shall be responsible for all taxes based upon our net income or on our property ownership. If any taxes are required to be withheld on payments you make to us, you may deduct such taxes from the amount owed to us and pay them to the appropriate taxing authority, provided however that you promptly secure and deliver an official receipt for those withholdings and other documents we reasonably request to claim a foreign tax credit or refund. You will make certain that any taxes withheld are minimized to the extent possible under applicable law. 4. Term, termination, and suspension. a. Agreement Term and termination. This agreement will remain in effect unless you terminate it. b. Subscription Term and termination. You may terminate a Subscription at any time during its Term, however, you must pay all amounts due and owing before the termination is effective and no refunds will be provided. i. One month Subscription. A Subscription with a one month Term may be terminated anytime without any cancellation fee. ii. Subscriptions of more than one month. If you terminate a Subscription within 30 days of the date on which the Subscription became effective or was renewed, you must pay for the initial 30 days of the Subscription but no payments will be due for the terminated portion of the Subscription. If you terminate a Subscription at any other time during the Term, you must pay for the terminated portion of the Subscription as set forth in the pricing and related terms on the Portal for your Subscription. c. Customer Data return and deletion. You may extract and/or delete Customer Data at any time. When a Subscription expires or terminates, we will retain any Customer Data you have not deleted for at least 90 days so that you may extract it, except for free trials, where we may delete Customer Data immediately without any retention period. You remain responsible for all storage and other applicable charges during this retention period. Following the expiration of this retention period, we will delete all Customer Data, including any cached or back‐up copies, within 30 days of the end of the retention period. You agree that we have no additional obligation to continue to hold, export or return Customer Data and that we have no liability whatsoever for deletion of Customer Data pursuant to these terms. d. Regulatory. In any country where any current or future government regulation or requirement applies to us, but not generally to businesses operating there, presents a hardship to us operating the Services without change, and/or causes us to believe this agreement or the Services may be in conflict with any such regulation or requirement, we may change the Services or terminate the agreement. If we use this subsection 4(d) of the agreement to change the Services, then you may terminate this agreement. e. Suspension. We may suspend your use of the Services if: (1) reasonably needed to prevent unauthorized access to Customer Data; (2) you fail to respond to a claim of alleged infringement under Section 6 within a reasonable time; (3) you do not pay amounts due under this agreement; or (4) you do not abide by the Acceptable Use Policy or violate other terms of this agreement. A suspension will apply to the minimum necessary part of the Services and will be in effect only while the condition or need exists. We will give notice before we suspend, except where we reasonably believe we need to suspend immediately. We will give at least 30 days' notice before suspending for non‐payment. If you do not fully address the reasons for the suspension within 60 days after we suspend, we may terminate your Subscription and delete your Customer Data without any retention period. 5. Warranties. a. Limited warranty. We warrant that the Services will meet the terms of the SLAs during the Term. Your only remedies for breach of this warranty are those in the SLAs. b. Limited warranty exclusions. This limited warranty is subject to the following limitations: i. any implied warranties, guarantees or conditions not able to be disclaimed as a matter of law will last one year from the start of the limited warranty; ii. this limited warranty does not cover problems caused by accident, abuse or use of the Products in a manner inconsistent with this agreement, or resulting from events beyond our reasonable control; iii. this limited warranty does not apply to problems caused by the failure to meet minimum system requirements; and iv. this limited warranty does not apply to Previews or free offerings. c. DISCLAIMER. OTHER THAN THIS WARRANTY, WE PROVIDE NO WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. THESE DISCLAIMERS WILL APPLY TO THE FULLEST EXTENT PERMITTED UNDER APPLICABLE LAW. 6. Defense of claims. a. Defense. We will defend you against any claims made by an unaffiliated third party that the Product infringes its patent, copyright or trademark or makes unlawful use of its trade secret. You will defend us against any claims made by an unaffiliated third party that (1) any Customer Solution or Customer Data you provide directly or indirectly in using the Product infringes the third party's patent, copyright, or trademark or makes unlawful use of its trade secret or (2) arise from violation of the Acceptable Use Policy. b. Limitations. Our obligations in subsection 6(a) will not apply to a claim or award based on: (1) Customer Solution, Customer Data, Non‐Microsoft Product, modifications you make to the Product, or materials you provide or make available as part of using the Product; (2) your combination of the Product with, or damages based upon the value of, a Non‐Microsoft Product, data or business process; (3) your use of a Microsoft trademark without our express written consent, or your use of the Product after we notify you to stop due to a third‐party claim; or (4) your redistribution of the Product to, or use for the benefit of, any unaffiliated third party. c. Remedies. If we reasonably believe that a claim under subsection 6(a) may bar your use of the Product, we will seek to: (1) obtain the right for you to keep using it; or (2) modify or replace it with a functional equivalent. If these options are not commercially reasonable, we may terminate your rights to use the Product and then refund any advance payments for unused Subscription rights. d. Obligations. Each party must notify the other promptly of a claim under this Section 6. The party seeking protection must (1) give the other sole control over the defense and settlement of the claim; and (2) give reasonable help in defending the claim. The party providing the protection will (1) reimburse the other for reasonable out‐of‐pocket expenses that it incurs in giving that help and (2) pay the amount of any resulting adverse final judgment (or settlement that the other consents to). The parties' respective rights to defense and payment of judgments or settlements under this Section are in lieu of any common law or statutory indemnification rights or analogous rights, and each party waives such common law rights. 7. Limitation of liability. a. Limitation. The aggregate liability of each party under this agreement is limited to direct damages up to the amount paid under this agreement for the Services giving rise to that liability during the 12 months before the liability arose, or for Products provided free of charge, Five Thousand United States dollars ($5,000.00 USD). b. EXCLUSION. NEITHER PARTY WILL BE LIABLE FOR LOSS OF REVENUE OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, EVEN IF THE PARTY KNEW THEY WERE POSSIBLE. c. Exceptions to Limitations. The limits of liability in this Section apply to the fullest extent permitted by applicable law, but do not apply to: (1) the parties' obligations under Section 6 or subsection 9(n); or (2) violation of the other's intellectual property rights. 8. Software. a. Software provided for use on devices. If the Software is provided to you with its own proprietary license terms, those terms control. If the Software does not have its own license terms, then you may install and use any number of copies of Software on your devices for use with Services. This Section does not apply to Software addressed in subsection 8(b). b. Software provided for use within Services. We may provide you with the option of running Software within the Services (for example, in a virtual machine). Your use of the Software is subject to Microsoft's proprietary license terms contained in the Software, as modified below: i. You may use such Software only within the Services and only in conjunction with your permitted use of any applicable Services role. To the extent of any conflict between this paragraph and the proprietary license terms contained in the Software, this paragraph controls. ii. You have no other rights under the Software's license terms or under this agreement to run the software (for example, you may not run copies on your on‐premise servers or other devices unless you separately obtain the license to do so). c. Effect of termination or expiration on Software. If this agreement or a Subscription is terminated or expires and you do not exercise an available buy‐out option for Software, then you must delete all copies of Software licensed under this agreement and destroy any associated media. d. Other rights. Rights to access Software on any device do not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that access that device. e. Third party software. Software may contain third party proprietary programs that are licensed under separate terms that are presented to you. Software may also contain third party open source programs that Microsoft, not the third party, licenses to you under Microsoft's license terms. Notices, if any, for the third party open source programs are included for your information only. 9. Miscellaneous. a. Notices. You must send notices by mail to the address below. OneBridge Solutions, Inc. 1775 W. State Street, #141 Boise, Idaho 83702 USA Attention: Director, Customer Care You agree to receive electronic notices from us, which will be sent by email to the account administrator you specify in the Portal. Notices are effective on the date on the return receipt or, for email, when sent. b. Assignment. You may not assign this agreement either in whole or in part. c. Consent to partner fees. When you place an Order, you may be given the option to identify a "Partner of Record" associated with your Subscriptions. By identifying a Partner of Record, directly or by authorizing a third party to do so, you consent to us paying fees to the Partner of Record. The fees are for pre‐sales support and may also include post‐sales support. The fees are based on, and increase with, the size of your Order. Our prices for Products are the same whether or not you identify a Partner of Record. d. Severability. If any part of this agreement is held unenforceable, the rest remains in full force and effect. e. Waiver. Failure to enforce any provision of this agreement will not constitute a waiver. f. No agency. We are independent contractors. This agreement does not create an agency, partnership or joint venture. g. No third‐party beneficiaries. There are no third‐party beneficiaries to this agreement. h. Applicable law and venue. This agreement is governed by State of Washington law, without regard to its conflict of laws principles except that (1) if you are a U.S. Government entity, this agreement is governed by the laws of the United States, and (2) if you are a state or local government entity in the United States, this agreement is governed by the laws of that state. Any action to enforce this agreement must be brought in the State of Washington. This choice of jurisdiction does not prevent either party from seeking injunctive relief in any appropriate jurisdiction with respect to violation of intellectual property rights. i. Entire agreement. This agreement (which includes the Acceptable Use Policy, the Services Terms, the SLAs and the pricing and payment terms listed on the Portal) is the entire agreement concerning its subject matter and supersedes any prior or concurrent communications. j. Survival. The following provisions will survive this agreement's termination or expiration: 1c‐f, 2b‐g, 3e, 4a‐c, 5‐7, 8c, and 9‐10. This agreement will remain in effect for any Subscription term. k. U.S. export jurisdiction. The Product is subject to U.S. export jurisdiction. You must comply with all applicable laws, including the U.S. Export Administration Regulations, the International Traffic in Arms Regulations, and end‐ user, end‐use and destination restrictions issued by U.S. and other governments. For additional information, see http://www.microsoft.com/exporting/. l. International availability. Availability of the Services, including specific features and language versions, varies by country. Information on availability is located at http://www.microsoft.com/online/faq.aspx#international or at an alternate site we identify. m. Acquired rights. You will defend us against any claim that arises from (1) any aspect of the current or former employment relationship between you and any of your current or former personnel or contractors or under any collective agreements, including, without limitation, claims for wrongful termination, breach of express or implied employment contracts, or payment of benefits or wages, unfair dismissal costs, or redundancy costs, or (2) any obligations or liabilities whatsoever arising under the Acquired Rights Directive (Council Directive 2001/23/EC, formerly Council Directive 77/187/EC as amended by Council Directive 98/50/EC) or any national laws or regulations implementing the same, or similar laws or regulations, (including the Transfer of Undertakings (Protection of Employment) Regulations 2006 in the United Kingdom) including a claim from your current or former personnel or contractors (including a claim in connection with the termination of their employment by us following any transfer of their employment to us pursuant to such laws or regulations). You must pay the amount of any resulting adverse final judgment (or settlement to which you consent). This section provides our exclusive remedy for these claims. We will notify you promptly in writing of a claim subject to this section. We must (1) give you sole control over the defense or settlement of such claim; and (2) provide reasonable assistance in defending the claim. You will reimburse us for reasonable out of pocket expenses that we incur in providing assistance. n. Force majeure. Neither party will be liable for any failure in performance due to causes beyond its reasonable control (such as fire, explosion, power blackout, earthquake, flood, severe storms, strike, embargo, labor disputes, acts of civil or military authority, war, terrorism (including cyber terrorism), acts of God, acts or omissions of Internet traffic carriers, actions or omissions of regulatory or governmental bodies (including the passage of laws or regulations or other acts of government that impact the delivery of Services). This section will not, however, apply to your payment obligations under this agreement. o. Modifications. We may modify this agreement at any time by posting a revised version on the legal information section of the Portal (http://www.windowsazure.com/en‐us/support/legal/ or an alternate site we identify) or by notifying you in accordance with subsection 9a. Modified terms that relate to changes or additions to the Product or that are required by law will be effective immediately, and by continuing to use the Services you will be bound by the modified terms. All other modified terms will be effective upon renewal (including automatic renewal) of an existing Subscription or order for a new Subscription. 10. Definitions. Any reference in this agreement to "day" will be a calendar day. "Acceptable Use Policy" lists prohibited uses of Services, and is published at http://www.windowsazure.com/en‐ us/support/legal/ or at an alternate site that we identify. "Affiliate" means any legal entity that a party owns or that owns a party, with a 50% or greater interest. "Consumption Offering", "Commitment Offering", or "Limited Offering" describe categories of Subscription offers and are defined in Section 3. "Customer Data" means all data, including all text, sound, software, or image files, that are provided to us by, or on behalf of, you through your use of the Services "Customer Solution" means the application(s) you run with Services. "End User" means any user of a Customer Solution, or any person permitted by you to access Customer Data hosted in Services or otherwise use the Services. "Non‐Microsoft Product" is any software, data, service, website or other product licensed, sold or otherwise provided to you by an entity other than us, whether you obtained it via our Product or elsewhere. "Portal" means the online portal from which you purchase a Subscription at http://www.windowsazure.com/en‐ us/pricing/ or at an alternate site we identify. "Previews" means preview, beta, or other pre‐release versions of the Services or Software offered by Microsoft to obtain customer feedback. "Privacy Statement" means the Windows Azure Privacy Statement, published at http://www.windowsazure.com/en‐us/support/legal/privacy‐statement/ or at an alternate site that we identify. "Product" means any Services and Software. "Services" means one or more of the Windows Azure services or features made available to you under this agreement by Microsoft and identified at http://www.windowsazure.com/en‐us/home/features/overview/, except Windows Azure Marketplace (which is governed by separate terms). "Services Terms" provide additional terms that govern specific features within the Product and customer support for the Product, and are published at http://www.windowsazure.com/en‐us/support/legal/ or an alternate site we identify. You may also need to use other Microsoft web sites and online services to access and use the Services (for example, Windows Live ID), and if so, the terms of use associated with those web sites or online services apply to your use of them. "SLAs" means the commitments we make regarding delivery or performance of the Services, as published in the service level agreements available at http://www.windowsazure.com/en‐us/support/legal/sla/ or at an alternate site that we identify. "Software" means Microsoft software we provide to you as part of the Services for use with the Services. "Subscription" means an enrollment for Services for a defined Term as specified on the Portal. You may purchase multiple Subscriptions, which may be administered separately. "Term" means the duration of a Subscription (for example, 30 days or 12 months). "we" and "us" means Microsoft Corporation and its affiliates, as appropriate. "Trust Center" means the Windows Azure Trust Center published at http://www.windowsazure.com/en‐ us/support/trust‐center/ or at an alternate site we identify. "you" and "your" means the entity signing this agreement to use the Product. ACCEPTANCE OF TERMS. The Website Services (as defined in the next section) that OneBridge Solutions Inc. (“OneBridge”) provides to you on the Windows Azure website (“Website”) are subject to the following Terms of Use ("TOU"). OneBridge and / or Microsoft reserves the right to update the TOU at any time without notice to you. The most current version of the TOU can be reviewed by clicking on the "Terms of Use" hypertext link located on the Windows Azure Website pages. DESCRIPTION OF WEBSITE SERVICES. Throughout this Website, OneBridge and or Microsoft provide you with access to a variety of resources, that may include upload and download areas, communication forums and information (collectively "Website Services"). The Website Services, including any updates, enhancements, new features, and/or the addition of any new Web properties, are subject to the TOU. This TOU does not apply to use of the Windows Azure cloud services platform or features (including the Windows Azure management portal), which requires a subscription and is governed by the Windows Azure Agreement or other service agreement under which you purchase such services. PRIVACY AND PROTECTION OF PERSONAL INFORMATION. See the Windows Azure Privacy Statement disclosures relating to the collection and use of your information. SOFTWARE AVAILABLE ON THIS WEBSITE. Any software that is made available to download from the Website Services ("Software") is the copyrighted work of Microsoft and/or OneBridge and / or their suppliers. Use of the Software is governed by the terms of the end user license agreement, if any, which accompanies or is included with the Software ("License Agreement"). An end user will be unable to install any Software that is accompanied by or includes a License Agreement, unless he or she first agrees to the License Agreement terms. The Software is made available for download solely for use by end users according to the License Agreement. Any reproduction or redistribution of the Software not in accordance with the License Agreement is expressly prohibited by law, and may result in severe civil and criminal penalties. Violators will be prosecuted to the maximum extent possible. DOCUMENTS AVAILABLE ON THIS WEBSITE. Permission to use Documents (such as white papers, press releases, datasheets and FAQs) from the Website Services is granted, provided that (1) the below copyright notice appears in all copies and that both the copyright notice and this permission notice appear, (2) use of such Documents from the Website Services is for informational and non‐commercial or personal use only and will not be copied or posted on any network computer or broadcast in any media, and (3) no modifications of any Documents are made. Use for any other purpose is expressly prohibited by law, and may result in severe civil and criminal penalties. Violators will be prosecuted to the maximum extent possible. Documents specified above do not include the design or layout of the Website or any other OneBridge or Microsoft owned, operated, licensed or controlled site. Elements of OneBridge and /or Microsoft Websites are protected by trade dress, trademark, unfair competition, and other laws and may not be copied or imitated in whole or in part. No logo, graphic, sound or image from any Microsoft Website may be copied or retransmitted unless expressly permitted by OneBridge or Microsoft. MATERIALS POSTED ON THIS WEBSITE. All materials, including software, help topics, white papers, datasheets, and FAQs (collectively “Materials”) that are made available as part of the Website Services are the copyrighted work of OneBridge or Microsoft or their suppliers. Your use of these Materials are governed by one of two sets of license terms; if you are presented with a license for the Materials, the terms of that license apply; if no license is presented to you, these terms apply. OneBridge or Microsoft reserves all other rights to the Materials not expressly granted under these license terms. In your use of the Materials you may not: • Remove, modify or tamper with any copyright notices; • Use the Materials for any commercial purposes; • Post the Materials on any networked computer for access by any other computer on the network or broadcast it in any media; or • Make any modifications to the Materials. OneBridge or Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in the Materials. By providing the Materials to you, OneBridge or Microsoft does not give you any license to these patents, trademarks, copyrights, or other intellectual property, unless OneBridge or Microsoft does so expressly in writing. Some Materials available as part of the Website Services are licensed to you by third parties. OneBridge or Microsoft does not grant you any additional rights (express or implied) for such third party Materials. OneBridge or Microsoft does not claim ownership of the materials you provide to OneBridge or Microsoft (including feedback and suggestions) or post, upload, input or submit to any Website Services or its associated services for review by the general public, or by the members of any public or private community, (collectively "Submissions"). However, by posting, uploading, inputting, providing or submitting your Submission you are granting OneBridge or Microsoft, its affiliated companies and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all OneBridge or Microsoft Services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; to publish your name in connection with your Submission; and the right to sublicense such rights to any supplier of the Windows Azure Website. LIABILITY DISCLAIMER ONEBRIDGE OR MICROSOFT AND/OR THEIR RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS, MATERIALS AND RELATED GRAPHICS PUBLISHED AS PART OF THE WEBSITE SERVICES FOR ANY PURPOSE. ALL SUCH DOCUMENTS, MATERIALS AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ONEBRIDGE OR MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, INCLUDING ALL WARRANTIES AND CONDITIONS OF MERCHANTABILITY, WHETHER EXPRESS, IMPLIED OR STATUTORY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON‐INFRINGEMENT. IN NO EVENT SHALL ONEBRIDGE OR MICROSOFT AND/OR THEIR RESPECTIVE SUPPLIERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THE WEBSITE SERVICES.THE DOCUMENTS, MATERIALS AND RELATED GRAPHICS PUBLISHED ON THE WEBSITE COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. ONEBRIDGE OR MICROSOFT AND/OR THEIR RESPECTIVE SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME. IN NO EVENT SHALL ONEBRIDGE OR MICROSOFT AND/OR THEIR RESPECTIVE SUPPLIERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF SOFTWARE, DOCUMENTS, MATERIALS, PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR INFORMATION AVAILABLE FROM THE WEBSITE SERVICES. UNSOLICITED IDEA SUBMISSION POLICY. OneBridge or Microsoft or any of its employees do not accept or consider unsolicited ideas, including ideas for new advertising campaigns, new promotions, new products or technologies, processes, materials, marketing plans or new product names. Please do not send any artwork, samples, demos, or other works to OneBridge or Microsoft or anyone at OneBridge or Microsoft. The sole purpose of this policy is to avoid potential misunderstandings or disputes when OneBridge or Microsoft's products or marketing strategies might seem similar to ideas submitted to OneBridge or Microsoft. So, please do not send your unsolicited ideas to OneBridge or Microsoft or anyone at OneBridge or Microsoft. If, despite our request that you not send us your ideas and materials, you still send them, please understand that OneBridge or Microsoft makes no assurances that your ideas and materials will be treated as confidential or proprietary. MEMBER ACCOUNT, PASSWORD AND SECURITY. If any of the Website Services requires you to open an account, you must complete the registration process by providing us with current, complete and accurate information as prompted by the applicable registration form. You also will choose a password and a user name. You are entirely responsible for maintaining the confidentiality of your password and any other non‐public account information. Furthermore, you are entirely responsible for any and all activities that occur under your account. You agree to notify OneBridge or OneBridge or Microsoft immediately of any unauthorized use of your account or any other breach of security. OneBridge or Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by OneBridge or Microsoft or another party due to someone else using your account or password. You may not use anyone else's account at any time, without the permission of the account holder. NO UNLAWFUL OR PROHIBITED USE. As a condition of your use of the Website Services, you will not use the Website Services for any purpose that is unlawful or prohibited by these terms, conditions, and notices. You may not use the Website Services in any manner that could damage, disable, overburden, or impair any OneBridge or Microsoft server, or the network(s) connected to any OneBridge or Microsoft server, or interfere with any other party's use and enjoyment of any Website Services. You may not attempt to gain unauthorized access to any Website Services, other accounts, computer systems or networks connected to any OneBridge or Microsoft server or to any of the Website Services, through hacking, password mining or any other means. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available through the Website Services. USE OF COMMUNICATION SERVICES. The Website Services may contain wikis, bulletin board services, blogs, chat areas, forums, news groups, communities and/or other message or communication facilities designed to enable you to communicate with others (each a "Communication Service" and collectively "Communication Services"). You agree to use the Communication Services only to post, send and receive messages and materials that are proper and, when applicable, related to the particular Communication Service. By way of example, and not as a limitation, you agree that using the Communication Services, you may not: • Use the Communication Services in connection with surveys, contests, pyramid schemes, chain letters, junk email, spamming or any duplicative or unsolicited messages (commercial or otherwise); • Defame, abuse, harass, stalk, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others; • Publish, post, upload, distribute or disseminate any inappropriate, profane, defamatory, obscene, indecent or unlawful topic, name, material or information. • Upload, or otherwise make available, files that contain images, photographs, software or other material protected by intellectual property laws, including, by way of example, and not as limitation, copyright or trademark laws (or by rights of privacy or publicity) unless you own or control the rights thereto or have received all necessary consent to do the same. • Use any material or information, including images or photographs, which are made available through the Services in any manner that infringes any copyright, trademark, patent, trade secret, or other proprietary right of any party. • Upload files that contain viruses, Trojan horses, worms, time bombs, cancelbots, corrupted files, or any other similar software or programs that may damage the operation of another's computer or property of another. • Advertise or offer to sell or buy any goods or services for any business purpose, unless such Services specifically allows such messages. • Download any file posted by another user of a Communication Service that you know, or reasonably should know, cannot be legally reproduced, displayed, performed, and/or distributed in such manner. • Falsify or delete any copyright management information, such as author attributions, legal or other proper notices or proprietary designations or labels of the origin or source of software or other material contained in a file that is uploaded. • Restrict or inhibit any other user from using and enjoying the Communication Services. • Violate any code of conduct or other guidelines which may be applicable for any particular Communication Service. • Harvest or otherwise collect information about others, including e‐mail addresses. • Violate any applicable laws or regulations. • Create a false identity for the purpose of misleading others. • Use, download or otherwise copy, or provide (whether or not for a fee) to a person or entity any directory of users of the Website Services or other user or usage information or any portion thereof. Neither OneBridge nor Microsoft has any obligation to monitor the Communication Services. However, OneBridge or Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion. OneBridge or Microsoft reserves the right to terminate your access to any or all of the Communication Services at any time, without notice, for any reason whatsoever. OneBridge or Microsoft reserves the right at all times to disclose any information as OneBridge or Microsoft deems necessary to satisfy any applicable law, regulation, legal process or governmental request, or to edit, refuse to post or to remove any information or materials, in whole or in part, in OneBridge or Microsoft's sole discretion. Always use caution when giving out any personally identifiable information about yourself or your children in any Communication Services. OneBridge or Microsoft do not control or endorse the content, messages or information found in any Communication Services and, therefore, OneBridge or Microsoft specifically disclaims any liability with regard to the Communication Services and any actions resulting from your participation in any Communication Services. Managers and hosts are not authorized OneBridge or Microsoft spokespersons, and their views do not necessarily reflect those of OneBridge or Microsoft. Materials uploaded to the Communication Services may be subject to posted limitations on usage, reproduction and/or dissemination; you are responsible for adhering to such limitations if you download the materials. FEEDBACK If you give OneBridge or Microsoft feedback, you give OneBridge or Microsoft an irrevocable, perpetual, sublicensable right to use, share, and commercialize your feedback in any way and for any purpose at no charge. You also give third parties any patent rights in your feedback needed for their products, technologies, and services to use or interface with any specific parts of a OneBridge or Microsoft software or service at no charge. You will not give feedback that is subject to a license or other obligation that requires OneBridge or Microsoft to grant or pass through any rights or make any disclosures or payments to third parties. These rights survive these terms. No compensation will be paid with respect to the use of your Submission, as provided herein. Neither OneBridge nor Microsoft are under any obligation to post or use any Submission you may provide and OneBridge or Microsoft may remove any Submission at any time in its sole discretion. By Posting a Submission you warrant and represent that you own or otherwise control all of the rights to your Submission as described in these Terms of Use including, without limitation, all the rights necessary for you to provide, post, upload, input or submit the Submissions. In addition to the warranty and representation set forth above, by Posting a Submission that contain images, photographs, pictures or that are otherwise graphical in whole or in part ("Images"), you warrant and represent that (a) you are the copyright owner of such Images, or that the copyright owner of such Images has granted you permission to use such Images or any content and/or images contained in such Images consistent with the manner and purpose of your use and as otherwise permitted by these Terms of Use and the Website Services, (b) you have the rights necessary to grant the licenses and sublicenses described in these Terms of Use, and (c) that each person depicted in such Images, if any, has provided consent to the use of the Images as set forth in these Terms of Use, including, by way of example, and not as a limitation, the distribution, public display and reproduction of such Images. By Posting Images, you are granting (a) to all members of your private community (for each such Images available to members of such private community), and/or (b) to the general public (for each such Images available anywhere on the Website Services, other than a private community), permission to use your Images in connection with the use, as permitted by these Terms of Use, of any of the Website Services, (including, by way of example, and not as a limitation, making prints and gift items which include such Images), and including, without limitation, a non‐exclusive, world‐wide, royalty‐free license to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Images without having your name attached to such Images, and the right to sublicense such rights to any supplier of the Website Services. The licenses granted in the preceding sentences for a Images will terminate at the time you completely remove such Images from the Website Services, provided that, such termination shall not affect any licenses granted in connection with such Images prior to the time you completely remove such Images. No compensation will be paid with respect to the use of your Images. LINKS TO THIRD PARTY SITES. The Website Services may contain links to third party websites which will let you leave the Windows Azure Website. These websites are not under OneBridge’s or Microsoft’s control. Neither OneBridge nor Microsoft makes any effort to review the content of these websites. This includes the validity, legality, copyright compliance, and decency of such content. Neither OneBridge nor Microsoft are responsible for the content of these websites. If OneBridge or Microsoft has included these links in the Website Services, they are provided for convenience only. Neither OneBridge nor Microsoft endorse or make any representation, guarantee or assurance regarding any third party website, service or product. Any third party product or service that you acquire, and any exchange of data between you and such third party provider, is solely between you and the third party. Third party websites may be subject to the third party’s terms conditions and privacy statements. OneBridge or Microsoft may disable links to any third‐party website that you or others post on this Website. INTELLECTUAL PROPERTY RIGHTS. OneBridge or Microsoft or their suppliers retain all right, title, and interest in and to this Website and the Website Services, including all copyrights, patents, trade secrets, trademarks and other intellectual property rights. OneBridge or Microsoft reserve all rights not expressly granted. These TOU does not grant or imply any rights to any OneBridge or Microsoft or supplier trademarks, trade names or logos. Microsoft Trademark information is available at http://www.microsoft.com/en‐us/legal/intellectualproperty/trademarks/en‐us.aspx Any rights not expressly granted herein are reserved. Send your questions to the appropriate contact as listed below: • Microsoft Piracy questions can be routed to piracy@microsoft.com or by calling 1‐800‐R‐U‐LEGIT. NOTICES AND PROCEDURE FOR MAKING CLAIMS OF COPYRIGHT INFRINGEMENT. Pursuant to Title 17, United States Code, Section 512(c)(2), notifications of claimed copyright should be sent to Service Provider's Designated Agent. ALL INQUIRIES NOT RELEVANT TO THE FOLLOWING PROCEDURE WILL RECEIVE NO RESPONSE. See Notice and Procedure for Making Claims of Copyright Infringement. COPYRIGHT NOTICE. © 2013 Microsoft Corporation. All rights reserved. Attachments: Schedule A: OneBridge Windows Azure Privacy Statement Schedule B: Microsoft Account Schedule C: Windows Azure Trust Center – Introduction Schedule D: Windows Azure Trust Center ‐ Compliance Schedule E: Windows Azure Trust Center – Privacy Schedule F: Windows Azure Trust Center ‐ Security SCHEDULE A: WINDOWS AZURE PRIVACY STATEMENT Last updated: March 2013 Scope Windows Azure is a cloud services platform that enables you to deploy and manage applications and store data across a global network of Microsoft‐managed data centers. This notice applies to the use of those services and any other Microsoft services that display or link to this notice. These services are referred to in this statement collectively as the "Services." The Services may enable you to purchase, subscribe or use other products and services from OneBridge or Microsoft or third parties with different privacy practices. Your use of other products and services, and any information you provide to a third party, is governed by their privacy statements and policies. Notice to End Users: This privacy statement is written for the organization or company (our "customer") that contracts with Microsoft for the Services. All references to "you" or "your" in this privacy statement is to OneBridge, who in turn, uses the Services to develop and host their own services for end users. Any information Microsoft collects or handles in such circumstances is processed by Microsoft on behalf of OneBridge, who controls the collection and use of the information. End users should direct privacy‐related requests to OneBridge. Microsoft is not responsible for the privacy practices of OneBridge. OneBridge will not access any End‐User data on the Windows Azure platform unless so requested by an End‐User. Customer Data Customer Data is all the data, including all text, sound, software or image files that you provide, or are provided on your behalf, to us through your use of the Services. For example, Customer Data includes data that you upload for storage or processing in the Services and applications that you or your end users upload for hosting in the Services. It does not include configuration or technical settings. Microsoft only uses Customer Data to provide the Services. This may include troubleshooting aimed at preventing, detecting and repairing problems affecting the operation of the Services and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to the user (such as malware or spam). Administrator Data Administrator Data is the information about administrators (including account contact and subscription administrators) provided during sign‐up, purchase, or administration of the Services, such as name, address, phone number, and e‐mail address. Microsoft uses Administrator Data to complete the transactions requested, administer the account, improve the Services and detect and prevent fraud. Microsoft may contact OneBridge to provide information about new subscriptions, billing and important updates about the Services, including information about security or other technical issues. Microsoft may also contact OneBridge regarding third‐party inquiries they receive regarding your use of the Services, as described in your agreement(s). OneBridge will not be able to unsubscribe from these communications. Subject to your contact preferences, Microsoft and / or OneBridge may also contact you, by phone or e‐mail, regarding information and offers about other products and services or to request your feedback. OneBridge may manage your contact preferences or update your information in your account profile. Payment Data When you make purchases from OneBridge, you will be asked to provide information, which may include your payment instrument number (e.g., credit card, PayPal), your name and billing address, and the security code associated with your payment instrument (e.g., the CSV) and other financial data ("Payment Data"). OneBridge uses Payment Data to complete transactions, as well as for the detection and prevention of fraud. When you provide Payment Data while authenticated, OneBridge will store that data to help you complete future transactions without your having to provide the information again. We may retain the security code associated with your Payment instrument (e.g., the CSV) in this manner. To remove or modify Payment Data, please contact OneBridge Accounting or OneBridge Customer Support. After you close your account or remove Payment Data, however, OneBridge may retain your Payment Data for as long as reasonably necessary to complete your existing transaction and for the detection and prevention of fraud. Support Data Support Data is the information OneBridge and / or Microsoft collects when you submit a support request or run an automated troubleshooter, including information about hardware, software, and other details related to the support incident, such as: contact or authentication information, chat session personalization, information about the condition of the machine and the application when the fault occurred and during diagnostics, system and registry data about software installations and hardware configurations, and error‐tracking files. Support may be provided through phone, e‐mail, or online chat. OneBridge may use Remote Access (RA), with your permission, to temporarily navigate your machine. Phone conversations, online chat sessions, or Remote Access sessions with support professionals may be recorded and/or monitored. For RA, you may also access the recording after your session. For Online Chat or RA, you may end a session at any time of your choosing. OneBridge or Microsoft may use Support Data as described in this privacy statement, and additionally use it to resolve your support incident and for training purposes. Following a support incident, OneBridge may send you a survey about your experience and offerings. You must opt‐ out of support surveys separately from other communications provided by OneBridge and / or Microsoft, by contacting OneBridge Support. To review and edit your personal information collected through our support services, please contact OneBridge Support. Some business customers may purchase enhanced support offerings (e.g., Premier). These offerings are covered by separate terms and notices. Cookies & Other Information Some Windows Azure websites use "cookies," which are small text files placed on a device’s hard disk by a web server. OneBridge and / or Microsoft may use cookies and similar technologies such as web beacons for storing users’ preferences and settings, for fraud prevention, to authenticate users and to collect operational information about the Services. Some of the cookies commonly used are listed in the following chart. This list is not exhaustive, but it is intended to illustrate some of the reasons why cookies are set. If users visit one of OneBridge’s and / or Microsoft’s websites, the site may set some or all of the following cookies: COOKIE NAME DESCRIPTION Session Sets a unique ID identifying the user session with windowsazure.com. It is used for site analytics and other operational purposes. .ASPXAUTH Used for authentication purposes. refreshRate Stores selected page refresh rate at windowsazurestatus.com. hideServices Stores a list of services the user chooses to hide from current view at windowsazurestatus.com. CURRENT_ACCOUNT_ID Identifies the Account ID of an enterprise customer in the Azure Enterprise portal. SelectedMarket Identifies the region that the user selects for the Azure DataMarket. In addition to the cookies OneBridge or Microsoft may set when you visit our web sites, third parties that we have hired to provide certain services on our behalf, such as site analytics, may also set certain cookies on your hard drive when you visit OneBridge or Microsoft sites. To learn more about how to control cookies and similar technologies, please see below at Cookies and Similar Technologies. Local Software Some features of Windows Azure may enable or require that you install local software (e.g., agents). This software may collect data from your local environment in order to provide the services that you have requested. Local agents may also collect telemetry information that will be sent to OneBridge or Microsoft for operating and improving the Services. For more information about agents, please consult the relevant service documentation. Sharing Your Information OneBridge and Microsoft will not disclose Customer Data, Administrator Data, Payment Data or Support Data ("your information") outside of OneBridge or Microsoft or its controlled subsidiaries and affiliates except as you direct, or as described in your agreement(s) or this privacy statement. • OneBridge and Microsoft occasionally contract with other companies to provide services (such as customer support) on our behalf. We may provide these companies with access to your information where necessary for their engagement. These companies are required to maintain the confidentiality of your information and are prohibited from using it for any purpose other than that for which they are engaged by OneBridge or Microsoft. • Neither OneBridge nor Microsoft will disclose Customer Data to a third party (including law enforcement, other government entity, or civil litigant; excluding our subcontractors) except as you direct or unless required by law. Should a third party contact us with a demand for Customer Data, we will attempt to redirect the third party to request it directly from you. As part of that, we may provide your basic contact information to the third party. If compelled to disclose Customer Data to a third party, we will use commercially reasonable efforts to notify you in advance of a disclosure unless legally prohibited. • OneBridge or Microsoft may share Administrator Data or Payment Data with third parties for purposes of fraud prevention or to process payment transactions. • The Services may enable you to subscribe to, or use services, software, and content from companies other than OneBridge or Microsoft ("Third Party Offerings"). If you choose to purchase, subscribe to, or use a Third Party Offering, OneBridge and / or Microsoft may provide the third party with your Administrator Data to enable the third party to provide its offering to you (and subject to your contact preferences, send you promotional communications). That information and your use of a Third Party Offering will be governed by the applicable privacy statement and policies from the third party. • OneBridge or Microsoft will not substantively respond to data protection and privacy requests from you without your prior written consent, unless required by applicable law. Security For more information about the security of the Services, please visit the Windows Azure Trust Center. Data Location OneBridge will specify the geographic region of the Microsoft data centers in which Customer Data will be stored. Microsoft may transfer Customer Data within a major geographic region (for example, within the United States or within Europe) for data redundancy or other purposes. Microsoft will not transfer Customer Data outside the major geographic region that has been specified (for example, from the United States to Asia or from Europe to the United States) except: • where OneBridge configures the account to enable this, including through use of features that may not enable regional selection or may use multiple regions, as specified in the Windows Azure Trust Center (which OneBridge or Microsoft may update from time to time but OneBridge or Microsoft will not add exceptions for existing features in general release); or • where necessary to provide customer support, to troubleshoot the service or to comply with legal requirements. Microsoft does not control or limit the regions from which OneBridge and its End Users may access or move Customer Data. Subject to the above restrictions, Customer Data that Microsoft processes on OneBridge’s behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its affiliates or subcontractors maintain facilities. OneBridge appoints Microsoft to perform any such transfer of Customer Data to any such country and to store and process Customer Data in order to provide the Services. Microsoft abides by the EU Safe Harbor and the Swiss Safe Harbor frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Union, the European Economic Area, and Switzerland. SCHEDULE B: MICROSOFT ACCOUNT In order to access the Services, OneBridge may require its customers to sign in with a Microsoft Account or another authentication mechanism. Use of Microsoft Account is subject to the privacy statement set forth here. By signing into one Microsoft service, you may be automatically signed into other Microsoft services that use these credentials. Preview Releases Windows Azure preview, beta or other pre‐release services ("Previews") are optional evaluation versions of the Services offered by Microsoft to obtain customer feedback prior to general release. This section describes the different or additional terms specific to Previews: • Administrator Data: Microsoft may contact you to obtain your feedback about the Preview or your interest in continuing to use it after general release. • Customer Data: Microsoft may use Customer Data from Previews to improve the Preview, Services and related Microsoft products and services. • Customer Data Location: Previews may not enable geographic regional selection or may use multiple geographic regions, as specified in the Windows Azure Trust Center. • Security: Previews may employ lesser or different security measures than those typically present in the Services. Some Customer Data may be particularly sensitive to you or your organization, and hence may require a level of security that Previews do not provide. Changes to this Privacy Statement OneBridge and Microsoft will occasionally update their privacy statements to reflect customer feedback and changes in the Services. When we post changes to a statement, we will revise the "last updated" date at the top of the statement. If there are material changes to the statement or in how OneBridge or Microsoft will use your information, we will notify you either by posting a notice of such changes before they take effect or by directly sending you a notification. We encourage you to periodically review the privacy statements for the products and services you use to learn how OneBridge or Microsoft is protecting your information. How to Contact Us OneBridge welcomes your comments. If you believe that OneBridge or Microsoft is not adhering to its privacy or security commitments, please contact through Customer Support. Cookies & Similar Technologies Summary Our Use of Cookies Most Microsoft web sites use "cookies," which are small text files placed on your hard disk by a web server. Cookies contain text that can be read by a web server in the domain that issued the cookie to you. That text often consists of a string of numbers and letters that uniquely identifies your computer, but may contain other information as well. Here is an example of the text stored in a cookie that Microsoft might place on your hard disk when you visit one of our web sites: E3732CA7E319442F97EA48A170C99801 We may use cookies for: • Storing your Preferences and Settings. If you enter your city or postal code to get local news or weather information on a Microsoft site, we may store that city or postal code in a cookie so that you will see the relevant local information when you return to the site. This can save you time by eliminating the need to repeatedly enter the same information every time you visit the site. • Sign‐in and Authentication. When you sign in to a site or service using your Microsoft account, we store your unique ID number, and the time you signed in, in an encrypted cookie on your hard disk. This cookie allows you to move from page to page at the site without having to sign in again on each page. When you sign out, these cookies are deleted from your computer. We also use cookies to improve the sign‐in experience. For example, your e‐mail address may be stored in a cookie that will remain on your computer after you sign out. This cookie allows your e‐ mail address to be pre‐populated, so that you will only need to type your password the next time you sign in. If you are using a public computer or do not want this information to be stored, you can select the appropriate radio button on the sign‐in page, and this cookie will not be used. • Targeted Advertising. When we display online advertisements to you, we will place one or more persistent cookies on your device in order to recognize your device each time we display an ad to you. Because we serve advertisements on our own web sites as well as those of our advertising and publisher partners, we are able to compile information over time about the types of pages, content and ads you, or others who are using your computer, visited or viewed. This information is used for many purposes, for example, it helps us try to ensure that you do not see the same advertisements over and over again. We also use this information to help select and display targeted advertisements that we believe may be of interest to you. You can find more information about this use of cookies, including how to opt out of receiving targeted advertising from Microsoft, in Microsoft Advertising Privacy Statement. • Site Analytics. We may use cookies to count the number of unique visitors to a web page or service or to develop other aggregate statistics about the operations of our sites and services. These analytics help us operate and improve the performance of these sites and services. Some of the cookies we commonly use are listed in the following chart. This list is not exhaustive, but it is intended to illustrate some of the reasons we set cookies. If you visit one of our web sites, the site may set some or all of the following cookies: Cookie name Description MUID Identifies unique browsers to Microsoft sites. It is used for advertising, site analytics and other operational purposes. ANON Contains the ANID, a unique identifier used to help identify which ads a user may like. It is also used to preserve a user’s choice to opt out of behaviorally targeted ads from Microsoft, if the user has chosen to associate the opt‐out with his or her Microsoft account. CC Contains a country code as determined by reverse IP address lookup. Microsoft account authentication Authentication cookies (e.g., RPSTAuth, MSNRPSAuth, KievRPSAuth) used when a user signs in with a Microsoft account. NAP Contains an encrypted version of the user’s country, ZIP code, age, gender, language and occupation, if known, based on the user’s Windows Live profile. MH Appears on co‐branded sites where Microsoft is partnering with an advertiser, this cookie identifies the advertiser so the right ad is selected. ACH01 Maintains information about which ad and where the user clicked on the ad. TOptOut Indicates that the user has indicated he or she does not want to receive behaviorally targeted ads delivered by Microsoft. In addition to the cookies Microsoft may set when you visit our web sites, third parties may also set certain cookies on your hard drive when you visit Microsoft sites. In some cases, that is because we have hired the third party to provide certain services on our behalf, such as site analytics. In other cases, it is because our web pages contain content or ads from third parties, such as videos, news content or ads delivered by other ad networks. Because your browser connects to those third parties’ web servers to retrieve that content, those third parties are able to set or read their own cookies on your hard drive. How to Control Cookies • Browser Controls to Block Cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to block cookies. For example, in Internet Explorer 9, you may block cookies by taking the following steps: 1. Click "Tools" and then select "Internet Options" 2. Click the "Privacy" tab at the top of the window 3. Move the slider up or down to indicate the rules you want to apply for blocking cookies Instructions for blocking cookies in other browsers are available at http://www.allaboutcookies.org/manage‐ cookies/. Please be aware that if you choose to block cookies, you may not be able to sign in or use other interactive features of Microsoft sites and services that depend on cookies, and some advertising preferences that are dependent on cookies may not be able to be respected. • Browser Controls to Delete Cookies. If you accept cookies, you can delete them later. For example, in Internet Explorer 9, you may delete cookies by taking the following steps: 1. Click "Tools" and then select "Internet Options" 2. On the "General" tab, under "Browsing History," click the "Delete" button 3. On the pop‐up, select the box next to “Cookies” 4. Click the "Delete" button Instructions for deleting cookies in other browsers are available at http://www.allaboutcookies.org/manage‐ cookies/. Please be aware that if you choose to delete cookies, any settings and preferences controlled by those cookies, including advertising preferences, will be deleted and may need to be recreated. • Browser Controls for “Do Not Track” and Tracking Protection. Some newer browsers have incorporated “Do Not Track” features. Most of these features, when turned on, send a signal or preference to the web sites you visit indicating that you do not wish to be tracked. Those sites (or the third party content on those sites) may continue to engage in activities you might view as tracking even though you have expressed this preference, depending on the sites’ privacy practices. Internet Explorer 9 and 10 have a feature called Tracking Protection that helps prevent the web sites you go to from automatically sending details about your visit to third‐party content providers. When you add a Tracking Protection List, Internet Explorer will block third‐party content, including cookies, from any site that is listed as a site to be blocked. By limiting calls to these sites, Internet Explorer will limit the information these third‐party sites can collect about you. And when you have a Tracking Protection List enabled, Internet Explorer will send a Do Not Track signal or preference to the web sites you visit. Additionally, in Internet Explorer 10 you may switch DNT "off" or "on" independently, if you'd like. For more information about Tracking Protection Lists and Do Not Track, please see the Internet Explorer privacy statement or Internet Explorer Help. • Advertising Opt‐Out Controls. Because cookies may be used for many purposes, users who object to behaviorally targeted advertising may choose to accept cookies but opt out from that particular use. Companies in the online advertising industry have developed guidelines and programs to help protect users’ privacy, and these industry programs include web pages you can visit to opt out from receiving behaviorally targeted advertisements from all participating companies (including Microsoft). These pages include: o Digital Advertising Alliance (DAA) Consumer Choice Page: http://www.aboutads.info/choices/ o Network Advertising Initiative (NAI) Opt‐Out Page: http://www.networkadvertising.org/managing/opt_out.asp o In Europe, you may also visit Your Online Choices: http://www.youronlinechoices.com/ Individual advertising companies may also offer their own opt‐out capabilities plus more advanced advertising choices. For instance, Microsoft’s advertising preference and opt‐out controls are available at http://choice.live.com/advertisementchoice/. Please note that opting out does not mean that you will stop getting ads or see fewer ads; however, if you do opt out, the ads that you receive will no longer be behaviorally targeted. In addition, opting out does not stop information from going to our servers, but it does stop our creation or updating of profiles that might be used for behavioral advertising. Our Use of Web Beacons Microsoft web pages may contain electronic images known as web beacons ‐ sometimes called single‐pixel gifs ‐ that may be used to help deliver cookies on our sites, let us count users who have visited those pages and deliver co‐branded services. We may include web beacons in our promotional e‐mail messages or newsletters to determine whether messages have been opened and acted upon. We may also work with other companies that advertise on Microsoft sites to place web beacons on their sites or in their advertisements to let us develop statistics on how often clicking on an advertisement on a Microsoft site results in a purchase or other action on the advertiser's site. Finally, Microsoft sites may contain web beacons from third parties to help us compile aggregated statistics regarding the effectiveness of our promotional campaigns or other web site operations. These web beacons may allow the third parties to set or read a cookie on your computer. We prohibit third parties from using web beacons on our sites to collect or access your personal information. Nevertheless, you may be able to opt out from data collection or use by these third‐party analytics companies by clicking the links for each of the following analytics providers: • Omniture (Adobe): http://www.d1.sc.omtrdc.net/optout.html • Nielsen: http://www.nielsen‐online.com/corp.jsp?section=leg_prs&nav=1#Optoutchoices • Coremetrics: http://www.coremetrics.com/company/privacy.php#optout • Visible Measures: http://corp.visiblemeasures.com/viewer‐settings • Google Analytics: http://tools.google.com/dlpage/gaoptout (requires you to install a browser add‐on) Other Similar Technologies In addition to standard cookies and web beacons, web sites can use other technologies to store and read data files on your computer. This may be done to maintain your preferences or to improve speed and performance by storing certain files locally. But, like standard cookies, it can also be used to store a unique identifier for your computer, which can then be used to track behavior. These technologies include Local Shared Objects (or "Flash cookies") and Silverlight Application Storage. • Local Shared Objects or "Flash cookies." Web sites that use Adobe Flash technologies may use Local Shared Objects or "Flash cookies" to store data on your computer. Note that the ability to clear Flash cookies may or may not be controlled by your browser setting for standard cookies as that may vary by browser. To manage or block Flash cookies, go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html. • Silverlight Application Storage. Web sites or applications that use Microsoft Silverlight technology also have the ability to store data by using Silverlight Application Storage. To learn how to manage or block such storage, visit Silverlight. SCHEDULE B: MICROSOFT ACCOUNT Summary Creating a Microsoft account. You can create a Microsoft account here by providing an email address, a password and other "account proofs", such as an alternate email address, a phone number, and a question and secret answer. We will use your "account proofs" for security purposes only ‐ for instance, to verify your identity in the event that you cannot access your Microsoft account and need assistance, or to reset your password if you cannot access the email address associated with your Microsoft account. Some services may require added security, and in those cases, you may be asked to create an additional security key. The email address and password that you use to sign up for your Microsoft account are your "credentials" that you will use to authenticate with our network. Furthermore, a 64‐bit unique ID number will be assigned to your credentials and will be used to identify your credentials and associated information. When you create a Microsoft account, we will also ask you to provide the following demographic information: gender; country; birthdate; and postal code. We may use birthdate to verify that children obtain appropriate consent from a parent or guardian to use a Microsoft account, as required by local law. In addition, this demographic information is used by our online advertising systems to provide you with personalized advertisements about products and services you might find useful, but our advertising systems never get your name or contact information. In other words, our advertising systems do not contain or use any information that can personally and directly identify you (such as your name, email address and phone number). If you prefer not to receive personalized ads, you may register your preference with your Microsoft account by visiting this page so that whenever you sign into web sites or services with your Microsoft account, our advertising systems will not serve you personalized ads. For more information about how Microsoft uses information for advertising, please see the Microsoft Advertising Privacy Supplement. You can use an email address provided by Microsoft (such as those ending in live.com, hotmail.com, or msn.com) or an email address provided by a third party (such as those ending in gmail.com or yahoo.com) when signing up for your Microsoft account. Upon creating a Microsoft account, we will send you an email asking you to verify that you are the owner of the email address associated with your Microsoft account. This is designed to verify the validity of the email address and help prevent email addresses from being used without the permission of their owners. Thereafter, we will use that email address to send you communications relating to your use of Microsoft products and services; we may also send you promotional emails about Microsoft products and services as permitted by local law. For information about managing your receipt of promotional communications, please visit Communications. If you attempt to register for a Microsoft account and find that another individual has already created credentials with your email address as the user name, you may contact us and request that the other individual adopt a different user name so that you may use your email address when creating your credentials. Signing into software, sites or services with your Microsoft account. When you sign into a site or service using your Microsoft account, we collect certain information in order to verify your identity on behalf of the site or service, to protect you from malicious account usage, and to protect the efficiency and security of the Microsoft account service. For instance, when you sign in, the Microsoft account service receives and logs your credentials and other information, such as the 64‐bit unique ID number assigned to your credentials, your IP address, your web browser version and a time and date. Further, if you use a Microsoft account to sign into a device or into software that is installed on a device, a random unique ID is assigned to the device; this random unique ID will be sent as part of your credentials to the Microsoft account service when you subsequently sign into a site or service with your Microsoft account. The Microsoft account service sends the following information to the site or service that you have signed into: a unique ID number that permits the site or service to determine whether you are the same person from one sign‐in session to the next; the version number assigned to your account (a new number is assigned each time you change your sign‐in information); whether your email address has been confirmed; and whether your account has been deactivated. Some third party sites and services that permit you to sign in with your Microsoft account require your email address in order to provide you with their services. In those cases, when you sign in, Microsoft will provide your email address but not your password to the site or service. However, if you created your credentials with the site or service, it may have limited access to information associated with your credentials in order to help you reset your password or provide other support services. If you received your account from a third party, like a school, a business, an internet service provider, or the administrator of a managed domain, that third party may have rights over your account, including the ability to reset your password, view your account usage or profile data, read or store content in your account, and suspend or cancel your account. In these cases, you are subject to the Microsoft Service Agreement and to any additional terms of use from that third party. If you are the administrator of a managed domain and have provided your users with Microsoft accounts, you are responsible for all activity that takes place within such accounts. Please note that sites and services that permit you to sign in with your Microsoft account can use or share your email address or other personal information that you provide to them as described in their privacy statements. However, they can share the unique ID number provided to them by the Microsoft account service with third parties only in order to fulfill a service or transaction that you may have requested. All sites or services that use the Microsoft account are required to have a posted privacy statement, but we do not control or monitor the privacy practices of those sites, and their privacy practices will vary. You should carefully review the privacy statement for each site you sign into in order to determine how each site or service will use the information it collects. Accessing your personal information. You can access your personal information by going to account. You can change your user name if your Microsoft account does not belong to a managed domain. You can always change your password, alternate email address, phone number, and question and secret answer. You may also close your Microsoft account by going to account, and then "Close your account." If your account is in a managed domain, as described above, there may be a special process for closing your account. Please note that if you are an MSN or a Windows Live user, if you go to account, you may be redirected to account for those sites. More information about Microsoft account is available at the Microsoft account web site. SCHEDULE C: WINDOWS AZURE TRUST CENTER – INTRODUCTION As a Windows Azure customer, you have entrusted Microsoft to help protect your data. Microsoft values this trust, and the privacy and security of your data is one of our top concerns. Microsoft strives to take a leadership role when it comes to security, privacy, and compliance practices. Learn more about Microsoft's commitment to your data Relentless on Security Excellence in cutting edge security practices Learn More Your Privacy Matters We respect the privacy of your data Learn More Independently Verified Compliance with world class industry standards verified by third parties Learn More FAQs Frequently Asked Questions Learn More For more information on our legal agreements, please see Windows Azure Legal Information. Shared Responsibility Our customers around the world are subject to many different laws and regulations. Legal requirements in one country or industry may be inconsistent with legal requirements applicable elsewhere. As a provider of global cloud services, we must run our services with common operational practices and features across multiple geographies and jurisdictions. To help our customers comply with their own requirements, we build our services with common privacy and security requirements in mind. However, it is ultimately up to our customers to evaluate our offerings against their own requirements, so they can determine if our services satisfy their regulatory needs. We are committed to providing our customers with detailed information about our cloud services to help them make their own regulatory assessments. It is also important to note that a cloud platform like Windows Azure requires shared responsibility between the customer and Microsoft. Microsoft is responsible for the platform, and seeks to provide a cloud service that can meet the security, privacy, and compliance needs of our customers. Customers are responsible for their environment once the service has been provisioned, including their applications, data content, virtual machines, access credentials, and compliance with regulatory requirements applicable to their particular industry and locale. Updates The information presented in the Windows Azure Trust Center is current as of the “last updated” date at top but is subject to change without notice. We encourage you to review the Trust Center periodically to be informed of new security, privacy and compliance developments. SCHEDULE D: WINDOWS AZURE TRUST CENTER ‐ COMPLIANCE Microsoft complies with the data protection and privacy laws generally applicable to Microsoft’s provision of a cloud services platform. Customers are responsible for determining if Windows Azure, and the particular applications they intend to run in Windows Azure, comply with the specific laws and regulations applicable to customers’ industry and use scenario. To help our customers comply with their own specific requirements, we put in place a comprehensive compliance framework through which we will be advancing all Windows Azure features. Microsoft is committed to providing Windows Azure customers with detailed information about our security compliance programs to help customers make their own regulatory assessments. However, it is ultimately up to our customers to evaluate Windows Azure compliance programs against their own requirements to determine if our services satisfy their regulatory needs. The Microsoft Approach to Cloud Transparency This paper provides an overview of various risk, governance, and information security frameworks and standards. It also introduces the cloud‐specific framework of the Cloud Security Alliance (CSA), known as the Security, Trust & Assurance Registry (STAR). ISO/IEC 27001:2005 Audit and Certification IS 577753 Windows Azure is committed to annual ISO/IEC 27001:2005 certification. The certificate issued by the British Standards Institution (BSI) is publically available. The Windows Azure ISO/IEC 27001:2005 Statement of Applicability is available upon escalation to customers under a non‐disclosure agreement. It includes over 130 security controls, and it maps Windows Azure controls to control objectives contained in Annex A of ISO/IEC 27001:2005. Please contact your local Microsoft representative to obtain a copy of the document. ISO/IEC 27001:2005 is a broad international information security standard. The ISO/IEC 27001:2005 certificate validates that Microsoft has implemented the internationally recognized information security controls defined in this standard, including guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization. Scope: Only the following Windows Azure features are in scope for the current ISO/IEC 27001:2005 certification: Virtual Machines, Cloud Services, Storage (Tables, Blobs, Queues, Drives), and Networking. SOC 1 and SOC 2 SSAE 16/ISAE 3402 Attestations Windows Azure has been audited against the Service Organization Control (SOC) reporting framework for both SOC 1 Type 2 and SOC 2 Type 2. Both reports are available to customers to meet a wide range of US and international auditing requirements. The SOC 1 Type 2 audit report attests to the design and operating effectiveness of Windows Azure controls. The SOC 2 Type 2 audit included a further examination of Windows Azure controls related to security, availability, and confidentiality. Windows Azure is audited annually to ensure that security controls are maintained. Audits are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and International Standard on Assurance Engagements (ISAE) 3402 put forth by the International Auditing and Assurance Standards Board (IAASB). In addition, the SOC 2 Type 2 audit included an examination of the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA). Scope: The following Windows Azure features and the worldwide data centers that support them are in scope for the current SOC 1 Type 2 and SOC 2 Type 2 attestations: Cloud Services (includes stateless Web, and Worker roles), Storage (Tables, Blobs, Queues), Virtual Machines (includes persistent virtual machines for use with supported operating systems) and Networking (includes Traffic Manager). Please contact your local Microsoft representative to request a copy of the SOC 1 Type 2 and SOC 2 Type 2 reports for Windows Azure. Cloud Security Alliance Cloud Controls Matrix Windows Azure has been audited against the Cloud Controls Matrix (CCM) established by the Cloud Security Alliance (CSA). The audit was completed as part of the SOC 2 Type 2 assessment, the details of which are included in that report. This combined approach is recommended by the American Institute of Certified Public Accountants (AICPA) and CSA as a means of meeting the assurance and reporting needs of the majority cloud services users. The CSA CCM is designed to provide fundamental security principles to guide cloud vendors and to assist prospective customers in assessing the overall security risk of a cloud provider. By having completed an assessment against the CCM, Windows Azure offers transparency into how its security controls are designed and managed with verification by an expert, independent audit firm. Detailed information about how Windows Azure fulfills the security, privacy, compliance, and risk management requirements defined in the CCM is also published in the CSA’s Security Trust and Assurance Registry (STAR). HIPAA Business Associate Agreement (BAA) HIPAA and the HITECH Act are United States laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI). In many circumstances, for a covered healthcare company to use a cloud service like Windows Azure, the service provider must agree in a written agreement to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act. To help customers comply with HIPAA and the HITECH Act, Microsoft offers a BAA to customers as a contract addendum. Microsoft currently offers the BAA to customers who have a Volume Licensing / Enterprise Agreement (EA), or a Windows Azure only EA enrollment in place with Microsoft. The Windows Azure only EA does not depend on seat size, rather on an annual monetary commitment to Windows Azure that allows a customer to obtain a discount over pay as you go pricing. The BAA is currently not available to pay‐as‐you‐go customers who have Windows Azure Agreement in place. Customers should contact their Microsoft account manager to sign the agreement. Prior to signing the BAA, customers should read the Windows Azure HIPAA Implementation Guidance. This document was developed to assist customers who are interested in HIPAA and the HITECH Act to understand the relevant capabilities of Windows Azure. The intended audience includes privacy officers, security officers, compliance officers, and others in customer organizations responsible for HIPAA and HITECH Act implementation and compliance. The document covers some of the best practices for building HIPAA compliant applications, and details Windows Azure provisions for handling security breaches. While Windows Azure includes features to help enable customer’s privacy and security compliance, customers are responsible for ensuring their particular use of Windows Azure complies with HIPAA, the HITECH Act, and other applicable laws and regulations, and should consult with their own legal counsel. Scope: Only the following Windows Azure features are covered by the current HIPAA BAA: Virtual Machines, Cloud Services, Storage (Tables, Blobs, Queues, Drives), and Networking. SCHEDULE E: WINDOWS AZURE TRUST CENTER – PRIVACY Privacy Privacy is one of the foundations of Microsoft’s Trustworthy Computing. Microsoft has a longstanding commitment to privacy, which is an integral part of our product and service lifecycle. We work to be transparent in our privacy practices, offer customers meaningful privacy choices, and manage responsibly the data we store. The Microsoft Privacy Principles, our specific privacy statements, and our internal privacy standards guide how we collect, use, and protect Customer Data. General information about cloud privacy is available from the Microsoft Privacy Web site. We also published a white paper Privacy in the Cloud to explain how Microsoft is addressing privacy in the realm of cloud computing. The Windows Azure Privacy Statement describes the specific privacy policy and practices that govern customers’ use of Windows Azure. Location of Customer Data Microsoft currently operates Windows Azure in data centers around the world. In this section, we address common customer inquiries about access and location of Customer Data. • Customers may specify the geographic region(s) of the Microsoft datacenters in which Customer Data will be stored. Available regions are shown below. Please see the Windows Azure Service Dashboard for individual sub‐region service availability. Major Region Sub‐Region Asia East (Hong Kong) Southeast (Singapore) Europe North (Ireland) West (Netherlands) United States North Central (Illinois) South Central (Texas) East (Virginia) West (California) • Microsoft may transfer Customer Data within a major geographic region (e.g., within Europe) for data redundancy or other purposes. For example, Windows Azure replicates Blob and Table data between two sub‐regions within the same major region for enhanced data durability in case of a major data center disaster. • Microsoft will not transfer Customer Data outside the major geographic region(s) customer specifies (for example, from Europe to U.S. or from U.S. to Asia) except where necessary for Microsoft to provide customer support, troubleshoot the service, or comply with legal requirements; or where customer configures the account to enable such transfer of Customer Data, including through the use of: o Features that do not enable regional selection such as Content Delivery Network (CDN) that provides a global caching service; o Web and Worker Roles, which backup software deployment packages to the United States regardless of deployment region; o Preview, beta, or other pre‐release features that may store or transfer Customer Data to the United States regardless of deployment region; o Windows Azure Active Directory (except for Access Control), which may transfer Active Directory Customer Data to the United States for European customers, or to the United States or Europe for Asian customers; o Windows Azure Multi‐Factor Authentication, which stores authentication data in the United States. • Microsoft does not control or limit the regions from which customers or their end users may access Customer Data. See the E.U. Data Protection Directive section below for information on the regulatory framework under which Microsoft transfers data. E.U. Data Protection Directive The E.U. Data Protection Directive (95/46/EC) sets a baseline for handling personal data in the European Union. The E.U. has stricter privacy rules than the U.S. and most other countries. To allow for the continuous flow of information required by international business (including cross border transfer of personal data), the European Commission reached an agreement with the U.S. Department of Commerce whereby U.S. organizations can self‐ certify as complying with the Safe Harbor Framework. Microsoft (including, for this purpose, all of our U.S. subsidiaries) is Safe Harbor certified under the U.S. Department of Commerce. In addition to the E.U. Member States, members of the European Economic Area (Iceland, Liechtenstein, and Norway) also recognize organizations certified under the Safe Harbor program as providing adequate privacy protection to justify trans‐border transfers from their countries to the U.S. Switzerland has a nearly identical agreement (“Swiss‐U.S. Safe Harbor”) with the U.S. Department of Commerce to legitimize transfers from Switzerland to the U.S., to which Microsoft has also certified. The Safe Harbor certification allows for the legal transfer of E.U. personal data outside E.U. to Microsoft for processing. Under the E.U. Data Protection Directive and our contractual agreement, Microsoft acts as the data processor, whereas the customer is the data controller with the final ownership of the data and responsibility under the law for making sure that data can be legally transferred to Microsoft. It is important to note that Microsoft will transfer E.U. Customer Data outside the E.U. only under very limited circumstances. See the Location of Data section for details. Microsoft also offers additional contractual commitments to its volume licensing customers: • A Data Processing Agreement that details our compliance with the E.U. Data Protection Directive and related security requirements for Windows Azure core features within ISO/IEC 27001:2005 scope. • E.U. Model Contractual Clauses that provide additional contractual guarantees around transfers of personal data for Windows Azure core features within ISO/IEC 27001:2005 scope. Please contact your Microsoft account manager or Microsoft Volume Licensing for details. Customer Data and Other Data Types • Customer Data is all the data, including all text, sound, software or image files that you provide, or are provided on your behalf, to us through your use of the Services. For example, Customer Data includes data that you upload for storage or processing in the Services and applications that you or your end users upload for hosting in the Services. It does not include configuration or technical settings and information. • Administrator Data is the information about administrators (including account contact and subscription administrators) provided during sign‐up, purchase, or administration of the Services, such as name, address, phone number, and e‐mail address. • Metadata includes configuration and technical settings and information. For example, it includes the disk configuration settings for a Windows Azure Virtual Machine or database design for a Windows Azure SQL Database. • Access Control Data is used to manage access to other types of data or functions within Windows Azure. It includes passwords, security certificates, and other authentication‐related data. SCHEDULE F: WINDOWS AZURE TRUST CENTER – SECURITY Windows Azure runs in data centers managed and operated by Microsoft Global Foundation Services (GFS). These geographically dispersed data centers comply with key industry standards, such as ISO/IEC 27001:2005, for security and reliability. They are managed, monitored, and administered by Microsoft operations staff that have years of experience in delivering the world’s largest online services with 24 x 7 continuity. In addition to data center, network, and personnel security practices, Windows Azure incorporates security practices at the application and platform layers to enhance security for application developers and service administrators. Standard Response to Request for Information: Security and Privacy The Cloud Security Alliance published the Cloud Control Matrix (CCM) to support customers in the evaluation of cloud services. In response to this publication, Microsoft has created a white paper to outline how Windows Azure security controls map to the CCM controls framework, providing customers with in‐depth information on Windows Azure security policies and procedures. Please see Windows Azure Cloud Security Alliance STAR submission for more information. Penetration Testing Microsoft conducts regular penetration testing to improve Windows Azure security controls and processes. We understand that security assessment is also an important part of our customers' application development and deployment. Therefore, we have established a policy for customers to carry out authorized penetration testing on their applications hosted in Windows Azure. Because such testing can be indistinguishable from a real attack, it is critical that customers conduct penetration testing only after obtaining approval in advance from Windows Azure Customer Support. Penetration testing must be conducted in accordance with our terms and conditions. Requests for penetration testing should be submitted with a minimum of 7‐day advanced notice. To learn more or to initiate penetration testing, please download the Penetration Testing Approval Form and then contact Windows Azure Customer Support. Security Resources for Windows Azure Technical Overview of the Security Features in the Windows Azure Platform This document provides a summary of some of the technical and organizational security measures for Windows Azure. Windows Azure Security Overview This in‐depth paper provides a detailed discussion of some of the security features and controls implemented in Windows Azure. Security Best Practices for Developing Windows Azure Applications This paper focuses on the recommended approaches for designing and developing secure applications for Windows Azure. Windows Azure Data Security (Cleansing and Leakage) This blog posting details procedures implemented in Windows Azure to prevent data leakage or exposure of customer data upon data deletion. Windows Azure Security Notes This document from the Patterns and Practices team provides solutions for securing common application scenarios on Windows Azure. Crypto Services and Data Security in Windows Azure This MSDN article provides an overview of cryptography concepts and related security in Windows Azure. Windows Azure: Understanding Security Account Management in Windows Azure Cloud computing relieves some of the security burden, but you still have an active role in managing access, securing communications and ensuring data protection. This TechNet article covers best practices for creating and managing administrative accounts, using certificates for authentication, and handling transitions when employees begin or terminate employment. Securing and Authenticating a Service Bus Connection This MSDN Library article discusses how to develop applications that use the Windows Azure Service Bus to perform secure connections. Scenarios and Solutions Using Windows Azure Active Directory Access Control This section of the MSDN Library contains articles that discuss how to use the Windows Azure Active Directory Access Control for securing web applications, single sign‐on, user authorization, and more. Security Guidelines for SQL Database This paper provides an overview of security guidelines for customers who connect to SQL Database (formerly SQL Azure), and who build secure applications on SQL Database. Business Continuity for Windows Azure This MSDN article provides guidance on how to use Windows Azure to achieve business continuity and disaster recovery goals. Business Continuity in SQL Database This MSDN article describes the business continuity capabilities provided by SQL Database (formerly SQL Azure). The purpose of creating database backups is to enable you to recover from data loss caused by the failure of individual servers and devices, unwanted data modifications and deletions, and widespread loss of data center facilities. Windows Azure Developer Center This website provides a variety of developer resources for Windows Azure, including a list of additional whitepapers.