Skip to content
MITIGATION SERVICE SCHEDULE
IRIS NETWORKS DISTRIBUTED DENIAL of SERVICE
1. General.
1.1 This Mitigation Service Schedule (“Schedule”) is applicable only where the Customer places a Service Order (“Order”) for the Distributed Denial of Service – Mitigation Service (collectively “DDoS Mitigation”) Products provided by IRIS Networks (“IRIS”).
1.2 This Schedule incorporates the terms of the Customer Master Service Agreement (“MSA”) or other service agreement (“Agreement”) under which IRIS provides Products to Customer.
1.3 If a conflict exists among the documents, the order of priority will be this Schedule, the MSA, Agreement, and the Order(s).
2. DDoS Mitigation.
2.1 DDoS Mitigation is available on Customer’s separately purchased internet services. The Order will specify DDoS Mitigation Product(s) selected by the Customer.
2.1.2 DDoS Mitigation includes and protects Customer IP addresses up to a combination of 256 /24 of IPv4 or 256 /48 of IPv6. Unlimited protected IP addresses, which may also be referred to as unlimited address space size or unlimited address space.
2.1.3 Notwithstanding anything in the Schedule to the contrary, IRIS may, in its sole and absolute discretion, use a vendor for any or all the work to be performed (e.g. installation) or Products provided under this Schedule, provided that IRIS remains responsible for the performance of its obligations in this Schedule. IRIS Products that work in conjunction with DDoS Mitigation (i.e. internet services) are subject to separate service schedules.
3. Products.
3.1 Certain Products are subject to geographic and/or feature availability, may require additional terms, and may be provided by IRIS vendor.
3.2 DDoS-BLK: IRIS inspects and filters Attack traffic on Customer internet service. If requested by the Customer or if traffic is impacting IRIS network’s performance, IRIS will “Black-hole” impacting IP addresses until the Customer mitigates the threat. The customer must report any new attacks not effectively blocked by predefined filters to IRIS Networks.
3.3 DDoS-LNK: IRIS consistently monitors Customers internet services. Diverted traffic entering IRIS’s networks mitigation infrastructure will be inspected and filtered of Attack traffic based on predefined filters agreed upon by IRIS and Customer. Customer must report to IRIS any new attacks not effectively blocked by predefined filters. IRIS will respond to new requests for mitigation in accordance with the Time to Mitigate (“TTM”) Service Level Agreement (“SLA”) TTM SLA.
3.4 DDoS-ILR: IRIS provides a router licenses and router-based mitigation for Customers. IRIS continuously monitors the router(s) and the Customer’s internet traffic. Diverted traffic entering the Mitigation Infrastructure is inspected and filtered of Attack traffic based on predefined filters agreed upon by IRIS and Customer. Customer must report to IRIS any Attacks not effectively blocked by predefined filters. IRIS will respond to new requests for mitigation in accordance with the TTM SLA.
3.5 DDoS-CPL: IRIS provides interconnection router-based mitigation for IRIS approved Customer licensed router(s). Customer router(s) allow the IRIS DDoS Mitigation to continuously monitor Customer’s internet traffic. Diverted traffic entering IRIS Mitigation Infrastructure will be inspected and filtered of Attack traffic based on predefined filters agreed upon by IRIS and Customer. Customer must report to IRIS any new attacks not effectively blocked by predefined filters. IRIS will respond to new requests for Mitigation in accordance with the TTM SLA.
4. Support Levels.
4.1 The following Support Levels are not available until completion of Service Validation (see definitions section 7). Whether a Product issue constitutes an outage or failure, a Credit will be determined by IRIS based on available records, data, and other evidence, including third-party monitoring tools. Credits are only available against the MRC for the affected Product. The Support Levels stated below apply to the mitigation aspect of Products. Support Levels do not apply to any Product features not expressly identified in this section, or outages or failures due to Excused Outages, Suspension or Chronic Problems.
A) DDoS-BLK Support Levels are not covered under this section of the Schedule.
B) DDoS Mitigation Support Levels, Credits and Chronic Outages. IRIS uses commercially reasonable efforts to ensure the Mitigation Infrastructure is available to the Customer one hundred percent (100%) of the time once a Customer’s IP traffic is routed to the Mitigation Infrastructure in response to a confirmed Attack and until a Customer’s IP traffic is re‑routed back to normal following cessation of the Attack.
4.2 For purposes of this Schedule, a “Mitigation Outage” is defined as: the Mitigation Infrastructure being unavailable to a Customer while the Customer is routing traffic through it. More specifically, this means the Customer cannot pass traffic through the Mitigation Infrastructure for more than 15 consecutive minutes.
4.3 If the Mitigation Outage SLA is not met, the following remedies will apply:
Mitigation Outage Duration
• >15-minutes < four (4) consecutive hours Credit three (3) days of the MRC*
• >four (4) consecutive hours Credit five (5) days of the MRC*
*The Credit is a payment to the customer invoice and is based on the MRC associated with the affected Product at the affected location. Per-day calculation based on a 30-day calendar month.
4.4 In no event will Customer receive Credit for more than one (1) Mitigation Outage per day pursuant to the terms of this Section 4 (B), regardless of the number of times IRIS fails to comply with the Mitigation Outage SLA during that day.
4.5 Chronic Outages.
4.5.1 In addition to the above credit(s), Customer will be entitled to terminate the affected DDoS Mitigation without early-termination liability within 30-calendar days of the date/time the right of termination is triggered, if any of the following apply:
(i) a single, continuous Mitigation Outage extends for ten (10) or more consecutive days; or
(ii) seven (7) separate Mitigation Outages, each lasting at least 60-minutes in a 90-day period; and
4.6 DDoS Mitigation TTM SLA.
4.6.1 IRIS agrees to deploy DDoS Mitigation following Customer approval (which may be verbal) and Customer properly routing traffic to the Mitigation Infrastructure during an Attack. The TTM SLA is measured in minutes commencing from either:
(i) the time IRIS obtains Customer approval and Customer properly routing traffic to the Mitigation Infrastructure during an Attack, or
(ii) the time of automated initiation by Flow Based Monitoring (“FBM”) to route Customer’s traffic to the Mitigation Infrastructure when an Attack is detected (“Auto‑Mitigation”) until the time (in minutes) IRIS deploys countermeasures to initiate mitigation. The applicable TTM SLA for each type of Attack is set forth below.
Attack Type TTM SLA for DDoS-LNK, DDoS-ILR and DDoS CPL
UPDP/ICMP SYN Floods 20-minutes
SYN Floods
TCP Flag Abuses
DNS Reflection
DNS Attack
If the TTM SLA is not met, the following remedies apply:
Time to Initiate Mitigation
>20-minutes < 60-minutes Credit one (1) day of the MRC*
>60-minutes < six (6) hours Credit two (2) days of the MRC*
>six (6) hours Credit four (4) days of the MRC*
*The Credit is a payment to the customer invoice and is based on the MRC associated with the affected Product at the affected location. Per day calculation based on a 30-day calendar month.
4.6.2 If the TTM SLA is not achieved three (3) or more times in a single day, IRIS will provide a one (1) Credit for that day equal to the maximum seven (7) days of the MRC.
4.6.3 Mitigation requiring traffic analysis and custom signature development are not covered under the TTM SLA.
4.7 Customer is deemed to have pre‑approved DDoS Mitigation for Products, and the NOC does not need to call Customer for permission to start mitigation. Certain mitigation countermeasures related to FBM may be pre‑authorized by Customer. If a countermeasure is required that has not been pre‑authorized (e.g. in addition to the pre‑authorized countermeasures), verbal approval is required from Customer to deploy such countermeasure.
4.8 General Terms for all Support Levels.
4.8.1 IRIS continually makes improvements to Products and reserves the right to make the following changes at any time: updates, error corrections, bug fixes, and other modifications.
4.8.2 The changes also apply to any software, equipment or hardware utilized by IRIS or its vendors to provide the Products. IRIS will use reasonable efforts to make such changes during the regularly scheduled maintenance window.
4.8.3 DDoS-ILR and DDoS-CPL Customers must verify that the outage is not a result of Customer router DDOS functions before submitting an outage report. If Customer router or IP configuration is found to be at issue, no credits will be provided.
4.8.4 In no case shall the amount of Credits be greater than the MRC of the affected DDoS Product.
5. Customer Responsibilities.
5.1 Charges.
5.1.1 Service for Products are billed monthly in advance. DDoS Mitigation rates are up to a predefined bandwidth level or number of routers designated on the Order. Charges consist of two (2) components:
(i) non‑recurring charges, (“NRC”, “One Time Charges”, or similar references), if applicable, and
(ii) monthly recurring charges (“MRC”, “Monthly Charges”, or similar references).
5.1.2 Expedite Service. Certain DDoS Mitigation is eligible for expedited “turn‑up” of Product for an additional NRC. Customer acknowledges and agrees that an Expedited Service request means acceptance of an additional NRC and cooperating with IRIS to accelerate DDoS Mitigation installation ordered.
(i) If Customer does not accept DDoS Mitigation after the Expedited Service has been turned up, Customer will be billed and agrees to pay 100% of the MRC at Customer hand-off by IRIS Networks. IRIS will exercise good faith efforts to turn-up Expedited Service, the Order will be processed in a prioritized manner.
(ii) If Customer orders Expedited Service, there is no Portal access and no Support Levels will apply to Expedited Service during the first fourteen (14) days of service.
5.1.3 IRIS reserves the right to suspend Expedited Service, DDoS Mitigation, DDoS-BLK, DDoS-LNK, DDoS-ILR, and DDoS-CPLat any time if Customer fails to satisfy credit requirements which may be imposed after the completion of a credit review, even if Product is provisioned.
5.1.4 If there are multiple locations, billing will automatically begin when IRIS completes provisioning for each location.
5.1.5 Charges for certain Products are subject to (a) a property tax surcharge and (b) a cost recovery fee per month to reimburse IRIS for various governmental taxes and surcharges. Such charges are subject to change by IRIS and will be applied regardless of whether Customer has delivered a valid tax exemption certificate.
5.2 Commencement Date.
5.2.1 The Commencement Date for DDoS Mitigation begins on the date IRIS notifies Customer as stated on the Completion Notice in writing or electronically. The Completion Notice for DDoS Mitigation is issued either upon:
(i) successful completion of Service Validation, or
(ii) after IRIS has provisioned all components of the Product that be provisioned without Customer’s assistance.
No additional Completion Notices will be provided.
5.2.2 The Commencement Date for DDoS-LNK, DDoS-ILR and DDoS-CPLbegins five (5) calendar days after IRIS notifies Customer that at least one (1) clean traffic return path has been provisioned.
5.2.3 The Commencement Date for DDoS-BLK begins on the date/time the Product is configured within the platform after Customer initiates and/or submits the request.
5.3 Term; Renewal; Termination.
5.3.1 Term; Renewal; Termination applies in lieu of any other term, cancellation, and termination section, including any available rights of termination that may be in this Schedule.
5.3.2 Term; Renewal. DDoS Mitigation has a minimum term that begins on the Commencement Date and continues for the period set forth in the Order. DDoS Mitigation will automatically renew annually for subsequent 12-month periods upon expiration of the initial Term. Renewal terms for third-party software may be determined by the applicable third‑party provider.
5.3.3 Termination. If DDoS Mitigation is terminated either by IRIS as a result of Customer’s default or by Customer for any reason other than IRIS’ default, and prior to the conclusion of the applicable Term, then the Customer will be liable for the Early-Termination Charges set forth in this Schedule. Customer is responsible for 100% of the MRC multiplied by the number of months remaining in the Term. Customer is fully responsible for updating DNS entries to no longer point to IRIS prior to any termination date, whether it is requested by Customer or IRIS; failure to do so will make the website inaccessible.
5.4 IP Addresses.
5.4.1 If IRIS or an applicable IRIS vendor, grants to Customer a right to use an IP address as part of provisioning, the Customer acknowledges and agrees the IP address is owned or leased by IRIS or the applicable IRIS vendor and the IP address will revert to IRIS or the applicable IRIS vendor after termination of the applicable Order for any reason whatsoever, and Customer will cease using the IP address. At any time after termination, IRIS or the applicable IRIS vendor may re‑assign IP address(es) to another user.
5.4.2 If IRIS does not assign an IP address to Customer as part of provisioning, the Customer represents and warrants that all title, rights, and interest in and to each IP address used by Customer in connection with the Product is owned exclusively by Customer and/or Customer has all permissions necessary from the owner to enable IRIS and Customer to perform their obligations.
(i) Customer will defend IRIS and its affiliates from any claim, demand or action arising in connection with a breach of the foregoing warranty.
(ii) Customer will pay any costs of settlement, or any damages finally awarded by a court of competent jurisdiction against IRIS and payable to such third-party as a result of such claim.
5.5 Customer Information.
5.5.1 Customer must:
(i) Provide and maintain an English-speaking point of contact available 24/7.
(ii) Ensure the contact’s information is current, complete, and accurate at all times.
5.5.2 The designated contact should:
(i) Be reachable for all DDoS Mitigation-related notifications, including
a) Set-up and installation
b) Other required communications
(ii) Have the authority to:
a) Consent to changes in the Customer’s security infrastructure or architecture
b) Direct such changes, as applicable
5.6 Customer must cooperate with IRIS and IRIS vendors in coordinating setup of DDoS Mitigation, including but not limited to, placing the necessary routing device at the edge of Customer’s environment and cooperating with IRIS in the rerouting of IP traffic to the Mitigation Infrastructure during an Attack.
5.7 Notification Responsibilities.
5.7.1 Customer must provide IRIS with all the following notices:
(i) 24-hours advance notice of any:
a. potential promotional events or other activities that may increase Customer’s network or website traffic;
b. Customer requests to change the traffic baseline;
(ii) immediate notice:
a. of any additions or deletions to the list of Customer IP addresses subject to DDoS Mitigation;
b. of any sudden events that may cause significant IP traffic pattern changes in Customer’s network;
c. if Customer believes it is under an Attack and provide IRIS with reasonable assistance to reroute the IP traffic to the Mitigation Infrastructure;
d. related to any changes to Customer’s contact information, including email; and
(iii) at least five (5) business days of any network topology or system changes that may affect utilization or the effectiveness of DDoS Mitigation counter‑measures to avoid potential Mitigation impacts.
5.7.2 Changes that impact Products or price must be agreed to in a new Order before the change will go into effect.
5.7.3 If Customer doesn’t comply with its notification responsibilities or if Customer performs system changes without prior notification to IRIS ,IRIS may not be able to provide the DDoS Mitigation, or the Mitigation may not function properly, including the inability to monitor traffic or the generation of false alerts.
5.7.4 IRIS will work with the Customer to resolve chronic false positives and other nuisance alerts; however, if alerting issues are not resolved satisfactorily, IRIS may modify the DDoS Mitigation system configuration to reduce repetitive alarms caused by Customer system changes.
5.8 Due to the varying nature of malicious activity, IRIS cannot guarantee that all malicious activities intended to be blocked will be identified, detected and blocked. Customer must establish and consistently maintain reasonable and adequate security policies and devices for defense of its assets. Customer acknowledges that DDoS Mitigation is regarded as a tool that can be used as part of the Customer’s overall security strategy, but not as a total solution. Customer acknowledges that Customer, and not IRIS, is responsible for Customer’s own network security policy and security response procedures.
5.9 Customer understands and expressly consents that in the performance of its obligations in this Schedule, notwithstanding any other requirements in the Customer MSA and Agreement between IRIS and Customer, IRIS (or its vendors) may route Customer traffic to the Mitigation Infrastructure which is located in a country other than the country of origination and/or destination of such traffic.
5.10 If Customer or IRIS detect that Mitigation is affected by a continuing error, conflict or trouble report, or similar issue (in each case a “Chronic Problem”) caused by the Customer, Customer will resolve any Chronic Problem by taking whatever steps are deemed necessary to rectify the same, including, but not limited to:
(i) removing or modifying the existing DDoS Mitigation configuration (or requesting IRIS to remove the same); or
(ii) replacing Customer’s equipment providing DDoS Mitigation, should that be deemed necessary.
5.10.1 If Customer has not remedied the Chronic Problem within 30-days of request by IRIS, then IRIS may suspend or terminate DDoS Mitigation. The SLA will not apply, and Customer will not be entitled to receive a Credit or exercise a Termination right under the SLA during periods of Chronic Problems caused by Customer.
5.11 Installation/Setup.
5.11.1 Customer will cooperate with IRIS by providing with all information reasonably requested including a point of contact.
5.11.2 Customer will provide data parameters that allows IRIS to determine the proper threshold levels in an attempt to diagnose an Attack.
5.11.3 IRIS may require Customer to allow traffic monitoring to determine proper threshold levels.
5.12 Software.
5.12.1 If any third‑party software, including any corresponding documentation, is provided to Customer by IRIS in connection with the DDoS Mitigation, Customer will defend IRIS and its affiliates from any claim, demand or action arising in connection with Customer’s failure to use Third-Party Software in a manner not authorized by this Schedule.
5.12.2 Customer will pay any settlement costs, or damages awarded by a court of competent jurisdiction against IRIS and payable to such third-party as a result of such claim.
5.12.3 Customer acknowledges and agrees that it is solely responsible for selecting and ensuring that Customer provided software, and systems are up to date and supportable.
5.12.4 Customer is solely responsible for the installation, operation, maintenance, use and compatibility of the Customer provided software or systems. Customer’s failure to do so may result in IRIS inability to provide DDoS Mitigation and IRIS will have no liability therefrom, including Support Levels.
5.12.5 For any third‑party software designated Third-Party Software or Service (“TPSS”), IRIS offers quoting, ordering, and billing only. Customer acknowledges that fees, payment, pricing, billing, tax, and early-termination terms are governed by this Schedule, Customer MSA, or Agreement and IRIS reserves the right to exercise all available remedies, including Suspension or Termination for non‑payment.
5.12.6 Customer will be required to agree (i.e., express, active acceptance or passive acceptance via these terms) to the applicable software licensors or vendors’, then-current, standard terms and conditions as a condition of having access to the TPSS.
5.13 Customer consents to IRIS and the applicable vendors or licensors collecting and compiling system and operational metrics data to determine trends and improve service capabilities. IRIS and its vendors and/or licensors may associate this data with similar data of other Customers so long as the data is merged in a manner that will not in any way reveal the data as being attributable to any specific Customer.
5.14 Testing.
5.14.1 Customer will not attempt, permit, or instruct any party to take any action that would reduce the effectiveness of DDoS Mitigation . Without limiting the foregoing, Customer is specifically prohibited from conducting unannounced or unscheduled test Attacks, penetration testing, or external network scans on IRIS’ network without the prior written consent.
5.15 Change Request.
5.15.1 Customers must request non‑price impacting DDoS Mitigation changes by opening a trouble ticket or by contacting the NOC.
5.15.2 Customers must provide complete authentication credentials when requesting changes.
5.15.3 Any non‑emergency changes or service design changes that may be required outside of an Attack, require a change order.
5.16 Neither Customer nor its representatives will attempt in any way to circumvent or otherwise interfere with any security precautions or measures of IRIS relating to DDoS Mitigation Products or any other IRIS equipment.
5.17 Customers who have published RPKI (see definitions section 7) ROAs are responsible for updating the Route Registry associated with their IP space and AS number to permit IRIS to advertise the applicable IP address to help ensure proper routing of legitimate traffic. If Customer does not update the registry accordingly, IRIS’ ability to mitigate some or all Attacks on Customer’s IP address will be reduced.
5.18 Portal Use.
5.18.1 If IRIS provides Customer with Portal access in connection with DDoS Mitigation, Customer will use this access solely for use of DDoS Mitigation in accordance with this Schedule and the Agreement, and Customer will be responsible for any unauthorized access to or use thereof unless Customer can prove that access or use has not caused any culpable action or omission of Customer or attributable to Customer.
5.18.2 The Portal uses two‑factor authentication (“2FA”) for access. Customer must install 2FA software for validating user identity before accessing the Portal. Access to Portal may be disabled for users that have been inactive for more than six (6) months, thus requiring the user to contact IRIS if they wish to reestablish access.
5.18.3 In addition, as is part of any support requested by Customer, IRIS may need to access Customer information within the Portal and Customer’s request for support constitutes its consent for IRIS to access the Portal information as needed.
6. Additional Terms, Service Limitations and Disclaimers.
6.1 Intellectual Property.
6.1.1 DDoS Intellectual Property includes, by way of example, playbooks, runbooks, reports, operational processes, and IRIS equipment configuration settings.
6.1.2 If IRIS develops or creates any intellectual property as part of DDoS Mitigation (“DDoS Intellectual Property”), that DDoS Intellectual Property will be, and remain, the exclusive property of IRIS and will not be considered a work for hire.
6.1.3 Customer has no right to sell, lease, license or otherwise transfer, with or without consideration, any DDoS Intellectual Property to any third-party or permit any third-party to reproduce or copy or otherwise use or see the DDoS Intellectual Property in any form and will use all reasonable efforts to ensure that no improper or unauthorized use of the DDoS Intellectual Property is made.
6.1.4 Customer will not reverse engineer or de‑compile any DDoS Intellectual Property, unless expressly permitted by applicable law.
6.1.5 Customer will promptly, upon termination of this Schedule or upon the request of IRIS Networks, deliver to IRIS all DDoS Intellectual Property without retaining any copy or duplicate; except that Customer may keep a copy of any report(s) provided by SIRIS NOC Support, which may have been previously referred to as DDoS service assistance subject to prior approval of IRIS and treatment of the reports as confidential.
6.1.6 Customer is expressly prohibited from using any component of DDoS Mitigation or DDoS Intellectual Property other than as expressly provided for in this Schedule.
6.2 Privacy/Data Protection.
6.2.1 Customer acknowledges that IRIS may process personal information of Customer and/or its end users in connection with providing, monitoring, and managing DDoS Mitigation, including across national borders. IRIS may also disclose such information to its affiliates and underlying vendors for similar processing in connection with providing DDoS Mitigation or to comply with applicable law.
6.2.2 Customer is responsible for complying with all privacy and data protection laws and regulations regarding Customer content, end users, and other relevant data Customer elects to process via DDoS Mitigation, including ensuring a valid legal basis and adequate notifications for all such processing.
6.2.3 Customer is solely responsible for properly configuring and using DDoS Mitigation and taking its own steps to maintain appropriate security controls, information protection, and backup (if applicable) of any data, which may include the use of encryption technology to protect such data from unauthorized access or use. Given that Customer determines which data to process via DDoS Mitigation and which security measures to apply to such data, notwithstanding anything else to the contrary in this Schedule, Customer and not IRIS will be responsible for whether the Mitigation is suitable to process the relevant data.
6.3 For IRIS DDoS-ILR and DDoS-CPL Products, Customers must follow IRIS or Third-Party router hardware and software recommendations and keep all router software revisions compliant with third-party specifications and support.
6.4 Additional Disclaimer of Warranty; Liability.
6.4.1 Customer acknowledges DDoS Mitigation endeavor to Mitigate security Events, but Events, even if determined to be Attacks, may not be mitigated entirely, or rendered harmless.
6.4.2 Customer further acknowledges that it should consider DDoS Mitigation as just one (1) tool to be used as part of an overall security strategy and not a guarantee of security.
6.4.3 The DDoS Mitigation provided in this Schedule is a supplement to Customer’s existing security and compliance frameworks, network security policies and security response procedures, for which IRIS is not, and will not be, responsible. While IRIS will use reasonable commercial efforts to provide DDoS Mitigation in accordance with the SLA, DDoS Mitigation are otherwise provided “as‑is.”
6.4.5 IRIS MAKES NO WARRANTY, GUARANTEE, OR REPRESENTATION, EXPRESS OR IMPLIED, THAT ALL SECURITY THREATS AND VULNERABILITIES WILL BE DETECTED, THAT THE PERFORMANCE OF DDOS MITIGATION WILL RENDER CUSTOMER’S SYSTEMS INVULNERABLE TO SECURITY BREACHES, THAT ANY THIRD-PARTY SOFTWARE PROVIDED BY CUSTOMER WILL BE COMPATIBLE WITH DDOS MITIGATION PRODUCTS AND/OR THAT IRIS’ PERFORMANCE OF SECURITY SERVICES, INCLUDING ACTIVITIES OR TASKS WILL COMPLY WITH OR SATISFY ANY APPLICABLE GOVERNMENTAL OR INDUSTRY DATA SECURITY STANDARD. IF ACTIVITIES OR TASKS INCLUDE BY WAY OF EXAMPLE, MAKING RECOMMENDATIONS, PERFORMING ASSESSMENTS, TESTS, OR PROVIDING REPORTS CUSTOMER AGREES THAT SUCH ACTIVITIES ARE PROVIDED IN GOOD FAITH AS TO ITS ACCURACY AND IRIS DOES NOT AND CANNOT GUARANTEE THAT SUCH ACTIVITIES, RECOMMENDATIONS, ASSESSMENTS, TESTS OR MONITORING WILL BE ACCURATE, COMPLETE, ERROR‑FREE, OR EFFECTIVE IN ACHIEVING CUSTOMER’S SECURITY AND/OR COMPLIANCE RELATED OBJECTIVES. ALL PROFESSIONAL SECURITY ASSISTANCE SERVICES ARE PROVIDED AS IS.
6.4.6 Neither IRIS or its vendors will be liable for any damages or liabilities however classified, including third-party claims which Customer or third parties may incur as a result of:
(i) non‑compliance with any standards which apply to Customer, and/or
(ii) reliance upon (or implementation of recommendations from) results, reports, tests, or recommendations related to DDoS Mitigation; or
(iii) loss or corruption of data or information transmitted through DDoS Mitigation.
6.4.7 TPSS ARE NOT PART OF DDOS MITIGATION, AND CUSTOMER ACQUIRES TPSS DIRECTLY FROM A THIRD‑PARTY PROVIDER. IRIS IS NOT RESPONSIBLE OR LIABLE FOR ANY DAMAGES WHATSOEVER RELATED TO TPSS, EVEN IF:
(i) IRIS RECOMMENDS THE THIRD-PARTY PROVIDER,
(ii) THE TPSS IS RELATED TO DDOS MITIGATION OR TO CUSTOMER’S ABILITY TO RECEIVE OR EXPLOIT DDOS MITIGATION, AND
(iii) IRIS ACTS AS THE THIRD-PARTY PROVIDER’S AGENT IN DELIVERING OR ENABLING ACCESS TO THE TPSS, IN COLLECTING PAYMENT, OR IN OTHER WAYS.
6.4.8 WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, IRIS WILL HAVE NO RESPONSIBILITY OR LIABILITY FOR MAINTENANCE, UPDATES, OR UPGRADES OF TPSS, FOR INTELLECTUAL PROPERTY INFRINGEMENT BY TPSS OR ANY FAILURE OR PERFORMANCE OF THE TPSS.
6.4.9 IRIS is the applicable supplier’s agent for purposes of ordering, collecting payment or in other ways as it relates to TPSS.
6.5 Direct Damages.
6.5.1 Except for the payment and indemnification obligations of Customer and subject to the Liability Limitations and Exclusions provision or similar waiver of consequential damages provision, the total aggregate liability of each party arising from or related to this Schedule will not exceed the total MRCs, NRCs, and usage charges paid or payable to IRIS for the affected DDoS Mitigation under this Schedule in the six (6) months immediately preceding the first Event giving rise to the cause of action (“Damage Cap”).
6.6 Suspension; Access; Restrictions.
6.6.1 IRIS may temporarily suspend any DDoS Mitigation immediately if IRIS has a good faith belief that Suspension is reasonably necessary to Mitigate damage or liability to the Mitigation Infrastructure or IRIS’ network or to other customers of IRIS that may result from Customer’s continued use of DDoS Mitigation.
6.6.2 In addition to any rights or obligations of the parties due to regulatory changes in the Customer MSA, Agreement or this Schedule, IRIS may terminate any Order if IRIS or an applicable vendor or subcontractor cannot maintain any required regulatory approvals, despite its reasonable efforts to do so. Customer’s access to the applicable DDoS Mitigation will end as of the effective date of Termination or expiration and DDoS Mitigation does not include transition assistance.
6.6.3 Nothing in this Schedule grants a Customer any rights to, and Customer is expressly prohibited from, reselling DDoS Mitigation or using any component of DDoS Mitigation or any IRIS proprietary materials to create or offer derivative versions of DDoS Mitigation either directly, or through a third-party, as a standalone service offering, as bundled with Customer’s services or products, or on a service‑bureau basis.
6.6.4 Customer understands that DDoS Mitigation may result in disruptions of and/or damage to Customer’s, Customer’s end‑users’ or third parties’ information systems and the information and data contained therein, including but not limited to denial of access to a legitimate system user. It does not include backing up data prior to deploying DDoS Mitigation or for arranging alternative means of operation should such disruptions or failures occur. Customer understands and acknowledges that DDoS Mitigation is not suitable for the maintenance or processing (apart from mere transmission) of protected health information consistent with the Health Insurance Portability and Accountability Act (HIPAA), as amended or any other applicable laws in the matter.
7. Definitions.
7.1 Any capitalized terms used in this Schedule and not otherwise defined will have the meanings set forth in Customer MSA, Agreement, or industry standard practices.
7.2 “Agreement” Service Orders and other documents executed by IRIS and Customer directly or in-directly related to the DDoS product, including DIA (Dedicated Internet Access) and transport backhaul of the DIA product.
7.3 “Attack” whether singular or plural means a distributed denial of service (DDoS) attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system.
7.4 “Auto-Mitigation” refers to the automated process of detecting and mitigating DDoS attacks without requiring manual intervention. When a DDoS attack is detected, the system automatically redirects the malicious traffic to a scrubbing center or deploys other mitigation techniques to filter out the attack traffic and ensure the target remains accessible
7.5 “Black-hole” refers to a network security measure where incoming malicious traffic is directed to a null route or a “black hole,” effectively dropping the traffic and preventing it from reaching its intended target. This helps mitigate the attack’s impact by isolating and discarding harmful data packets.
7.6 “Chronic Outage” has definition as defined in 4.5 of this Schedule.
7.7 “Chronic Problem” refers to a customer configuration issue that causes DDoS for that customer not to function properly.
7.8 “Completion Notice” refers to a communication done in writing or electronically, informing the customer on the of the date DDoS Mitigation begins.
7.9 “Customer” refers to the other party of this Schedule and other Agreements.
7.10 “Event” means a security abnormality detected by IRIS DDoS Mitigation or reported by Customer to the NOC. An Event does not necessarily constitute an actual security incident or Attack and must be investigated further to determine its validity.
7.11 “Excused Outage” will also mean for purposes of this Schedule, and in addition to the Customer MSA and Agreement, the SLA will not apply, and Customer will not be entitled to receive a credit or exercise a termination right under the SLA, for any outage that adversely impacts DDoS Mitigation that is caused by, or attributable to:
(a) the acts or omissions or misuse of DDoS Mitigation by Customer, its employees, contractors or agents or its end users;
(b) the failure or malfunction of equipment, applications, the public Internet or other network or telecommunications unavailability, or systems not owned or controlled by, or attributable to, IRIS Networks;
(c) Regularly Scheduled Maintenance or emergency maintenance, alteration or implementation;
(d) the unavailability of required Customer personnel or the inability of IRIS to contact Customer related to DDoS Mitigation, including as a result of failure to provide IRIS with accurate, current contact information (including email);
(e) IRIS Networks’ lack of access to the Customer premises where reasonably required to restore DDoS Mitigation;
(f) Customer’s failure to release DDoS Mitigation for testing or repair and continuing to use DDoS Mitigation on an impaired basis;
(g) Customer’s failure to provide timely approvals and/or consents, including allowing IRIS to retune DDoS Mitigation as required for IRIS to provide Mitigation;
(h) Customer’s sustained traffic load reaching a point that causes material degradation to or outage of the underlying IRIS Internet infrastructure not directly related to the Mitigation Infrastructure; (i) improper or inaccurate network specifications provided by Customer;
(i) Customer is in breach of its obligations under the Agreement or this Schedule;
(j) Customer failure to properly update the Route Origin Authorization (“ROA”); or
(k) Customer’s failure to notify IRIS in advance of network topography or system issues if the failure to notify results in failures, interruptions or degradation of Mitigation.
7.12 “Flow-Based Monitoring” or “FBM” is a method used to collect, analyze, and monitor network traffic by examining the flow of data packets across a network. This technique helps network administrators understand how data moves through their network, identify potential bottlenecks, and detect security threats
7.13 “Mitigation” or “Mitigate” means rerouting of traffic through IRIS DDoS Mitigation and initiating countermeasures with the intent to remove Attack traffic identified by the Mitigation Infrastructure located in IRIS Networks’ network.
7.14 “Mitigation Infrastructure” is defined as a collection of IRIS devices consisting of routers, servers and scrubbers that connect to IRIS Networks’ internet and are designed to filter malicious Attack traffic and pass‑through legitimate traffic in order to Mitigate the potential disruptions caused by an Attack.
7.15 “Order” which may also be referred to as “Service Order” or “SO” is a request, submitted on behalf of a Customer, due to a Proposal or SOA signed or agreed to by the Customer. Service Orders include details and specifics for each Product ordered by the Customer.
7.16 “Portal” refer to the Customer Portal where Customers will have access to see traffic monitoring, alerting, Mitigation and trouble tickets.
7.17 “Regularly Scheduled Maintenance” means any scheduled maintenance performed to the Mitigation Infrastructure. Regularly Scheduled Maintenance will not normally result in Mitigation interruption. If Regularly Scheduled Maintenance requires an interruption, IRIS will:
(a) provide Customer seven (7) days’ prior written notice,
(b) work with Customer to minimize such interruptions,
(c) use commercially reasonable efforts to perform such maintenance between midnight and 6:00 a.m. local time where the Mitigation Infrastructure is located on which such maintenance is performed and
(d) work with Customer to remove Always‑On Customer traffic from the Mitigation Infrastructure during such maintenance to avoid interruption. Emergency maintenance may be performed on less or no notice.
7.18 “Resource Public Key Infrastructure” or “RPKI” is a specialized public key infrastructure standard, adopted by most internet service providers (ISPs). It was designed and developed to provide a secure means of peer‑to‑peer IP Route announcements (BGP Protection). RPKI helps ensure that a route announcement is legitimately coming from the source AS (Autonomous System) and that it was registered with the Route Registry.
7.19 “Route Registry” is a database that stores information about Internet routing. It helps network operators share and manage routing information to ensure the stability and consistency of Internet-wide routing. The Route Registry contains various objects that describe routing policies and configurations, which network engineers use to configure routers and avoid routing issues between Internet service providers. Network engineers may also refer to the Route Registry as the Internet Routing Registry (IRR).
7.20 “Service Validation” means the process by which DDoS Mitigation is confirmed as available as a part of the provisioning process enabling IRIS to obtain a profile of Customer’s traffic. Customer will coordinate to schedule Service Validation when contacted by IRIS to do so. Service Validation is conducted over two (2) windows during which traffic is routed through the Mitigation Infrastructure as follows:
(a) an initial two (2) hour “test” window, and
(b) a 24‑hour validation window. Service Validation must be completed for all or a subset of protected Class C subnet prior to routing traffic through the Mitigation Infrastructure.
7.21 “Suspension” means IRIS Networks’ suspension of DDoS Mitigation to Customer as permitted by this Schedule or as otherwise allowed under the Agreement.
7.22 “Third-Party Software or Services” or “TPSS” means those designated services where the Customer must agree to the terms required by the vendor that form the binding agreement between the applicable vendor and Customer. For all such designated services, IRIS is not responsible or liable for TPSS, including the performance of or failure to perform the services.
Last Updated October 15, 2024
