F5 End User Services Agreement—Service-Specific Terms

 
1 
 
157627465.8 
F5 END USER SERVICES AGREEMENT 
SERVICE-SPECIFIC TERMS  
Last Updated: August 5
th
, 2024 
The Service-Specific Terms below supplement and are incorporated in and form a part of your agreement with us governing 
your use of the SaaS Offerings (the “Agreement”). Capitalized terms used in these Service-Specific Terms but not defined below 
are defined in the End User Services Agreement located at https://www.f5.com/pdf/customer-support/eusa.pdf or if 
applicable, entered into between us and you. In the event of a conflict between a provision of these Service-Specific Terms and 
a provision of the Agreement, these Service-Specific Terms will control with respect to its terms. Your use of any SaaS Offerings 
to which you have access via a Customer Dashboard shall be subject to the terms of the Agreement, including the applicable 
Service-Specific Terms herein, regardless of whether you have placed an Order for such SaaS Offerings. 
 
1.  Silverline SaaS Offerings..................................................................................................................................................... 3 
Silverline Operational Terms. ............................................................................................................................................ 3 
2.  Silverline DDoS Protection Service .................................................................................................................................... 4 
Silverline DDoS Protection Service Operational Terms. .................................................................................................... 4 
3.  Silverline Shape Defense Service ....................................................................................................................................... 5 
Silverline Shape Defense Operational Terms. ................................................................................................................... 5 
4.  Silverline Web Application Firewall Service ....................................................................................................................... 7 
Silverline Web Application Firewall Operational Terms. ................................................................................................... 7 
5.  Silverline Data Protection Terms ....................................................................................................................................... 8 
DPA.  8 
Processing Details and Security. ........................................................................................................................................ 8 
6.  NGINX One ....................................................................................................................................................................... 12 
6.1.  Operational Terms. .......................................................................................................................................... 12 
7.  Terms Applicable to the following SaaS Offerings (collectively “BRM SaaS Offerings”): Distributed Cloud 
Authentication Intelligence; Distributed Cloud Aggregator Management; Distributed Cloud Client-Side 
Defense; Application Traffic Insight; Distributed Cloud Account Protection; Distributed Cloud Bot Defense 
(Managed Service); and Distributed Cloud Data Intelligence ......................................................................................... 14 
Operational Terms. .......................................................................................................................................................... 14 
Data Protection Terms ..................................................................................................................................................... 16 
8.  Terms Applicable to the following SaaS Offerings:  Distributed Cloud Bot Defense (Self Service) ................................. 19 
Operational Terms. .......................................................................................................................................................... 19 
Data Protection Terms. .................................................................................................................................................... 21 
9.  Professional Services........................................................................................................................................................ 23 
Additional Definitions. ..................................................................................................................................................... 23 
Provision of Professional Services; Fees. ......................................................................................................................... 23 
Expenses........................................................................................................................................................................... 23 

 
2 
 
157627465.8 
10.  Terms Applicable to the following SaaS Offerings (collectively “XC SaaS Offerings”):  Distributed Cloud Mesh, 
Distributed Cloud App Stack, Distributed Cloud DDoS, Distributed Cloud WAF, Distributed Cloud API 
Security, Distributed Cloud Network Connect, Distributed Cloud Load Balancer, Distributed Cloud App 
Connect, Distributed Cloud DNS, Distributed Cloud DNS Load Balancer, Distributed Cloud Synthetic 
Monitoring, and Distributed Cloud CDN. ......................................................................................................................... 24 
Usage Metrics. ................................................................................................................................................................. 25 
Operational Terms For: Distributed Cloud Mesh, Distributed Cloud App Stack, Distributed Cloud API 
Security, Distributed Cloud Network Connect, Distributed Cloud Load Balancer, Distributed Cloud 
App Connect, Distributed Cloud DNS, Distributed Cloud DNS Load Balancer, Distributed Cloud 
Synthetic Monitoring, and Distributed Cloud CDN: ......................................................................................... 25 
Operational Terms for:  Distributed Cloud DDoS and Distributed Cloud WAF ............................................................... 28 
Service Level Agreement.................................................................................................................................................. 31 
Data Protection Terms ..................................................................................................................................................... 31 
11.  Terms Applicable to the following SaaS Offering: NGINX on Azure ................................................................................ 34 
Service Level Agreement.................................................................................................................................................. 34 
Data Protection Terms ..................................................................................................................................................... 34 
12.  Distributed Cloud (XC) Mobile App Shield ....................................................................................................................... 37 
Usage Metrics. ................................................................................................................................................................. 37 
Additional Definitions. ..................................................................................................................................................... 37 
Disclaimer......................................................................................................................................................................... 37 
Operational Terms (Stand-Alone offering): ..................................................................................................................... 37 
Operational Terms (Add-On offering):............................................................................................................................. 37 
13.  Data Residency and Processing Reference ...................................................................................................................... 40 
   

157627465.8

1. Silverline SaaS Offerings

Silverline Operational Terms.

1.1.1. Additional Definitions. Unless otherwise defined in these Service-Specific Terms, the following definitions apply:

“95

Percentile Calculated Bandwidth” means your bandwidth calculated as: collecting 5-minute samples

over a calendar month based on traffic that is transmitted or received between the F5 Silverline Network and

your network, sorting the samples from largest to smallest, discarding the top (highest) 5 percent of samples,

and selecting the remaining highest single sample. The selected sample determines the bandwidth at the 95

percentile value.

“DDoS” means distributed denial of service.

“Excessive Use” of a Silverline SaaS Offering shall have the meaning set forth in the applicable Service-Specific

Term.

“F5 Silverline Network” means the IP network owned or operated by us related to the Silverline SaaS

Offerings and the system(s) (servers, and associated software) deployed by us for the delivery of the Silverline

SaaS Offerings. The F5 Silverline Network does not include customer-side web-based user interfaces,

zone/data transfer mechanisms, customer-side web servers, application programming interfaces, or other

customer accessible data manipulation software, Internet connectivity provided by third parties, the

telecommunications means between the servers, nor the Internet routes between servers.

“Silverline SaaS Offerings” means the Silverline DDoS Protection Service; the Silverline Shape Defense

Service; the Silverline Web Application Firewall Service; and/or any other services made available as Silverline

SaaS Offerings from us from time to time, as applicable. If you order Silverline SaaS Offerings under the

Agreement, all references to “SaaS Offerings” therein shall be deemed include the Silverline SaaS Offerings.

“Silverline DDoS Protection Service” means the distributed denial of service protection service delivered

through the F5 Silverline cloud-based platform. The Silverline DDoS Protection Service is also governed by

the Silverline DDoS Protection Service-Specific Terms.

“Silverline Shape Defense Service” means the automated threat protection service delivered through the F5

Silverline cloud-based platform. The Silverline Shape Defense Service is also governed by the Silverline Shape

Defense Terms.

“Silverline Web Application Firewall Service” means the web application firewall service delivered through

the F5 Silverline cloud-based platform. The Silverline Web Application Firewall Service is also governed by

the Web Application Firewall Service-Specific Terms.

“SOC” means the F5 Silverline security operations center.

1.1.2. Ordering Silverline SaaS Offerings Through Distribution. Unless otherwise agreed to in writing by us, you will

procure Silverline SaaS Offerings from an Authorized Distribution Partner in accordance with the Agreement and

the terms between you and such Authorized Distribution Partner. You and F5 shall enter into an Order describing

the Silverline SaaS Offerings to be purchased by you from the Authorized Distribution Partner, and You will

submit purchase orders to an Authorized Distribution Partner (a list of which is available from us upon request).

All terms relating to Silverline SaaS Offerings ordering, payment, taxes and fees will be as set forth in your

agreement with such Authorized Distribution Partner.

1.1.2.1. Excessive Use. We may monitor your use of the Silverline SaaS Offerings for Excessive Use. If your usage

of the Silverline SaaS Offerings is deemed Excessive Use, as measured by us, you will (i) negotiate in good

faith with us to increase the capacity of such Silverline SaaS Offerings to cover such Excessive Use, and (ii)

place additional orders for the applicable Silverline SaaS Offering to remedy the Excessive Use.

1.1.2.2. Service Term – Subscription Start Date. The Service Term for the Silverline SaaS Offerings shall start on

the Subscription Start Date. “Subscription Start Date” shall mean (a) with respect to an initial Order of

any Silverline SaaS Offering, the date that we have approved the purchase order for such Silverline SaaS

Offerings, which date shall be no later than fifteen (15) business days following the date that (i) you have

157627465.8

signed or accepted the Agreement, and (ii) we have received the applicable Order; provided, however,

that you may request a Subscription Start Date that is later than the date provided in this Section 1.4 if

such later Subscription Start Date, clearly labeled as such, is set forth in the applicable Order; and (b) with

respect to the renewal of any Silverline SaaS Offerings, the day immediately following the last day of the

prior Service Term.

1.1.2.3. Service Term – Under Attack. Notwithstanding Section 1.4 of this Service-Specific Term, if you order

Silverline SaaS Offerings while under a DDoS attack, the Subscription Start Date shall start on the date

that you have accepted this Agreement, including all applicable Orders, for the applicable Silverline SaaS

Offering. You hereby acknowledge and agree that you are obligated to promptly place an order for such

Silverline SaaS Offering with us or an Authorized Distribution Partner, as applicable, and pay applicable

fees for such Silverline SaaS Offering.

1.1.2.4. Security. During any Service Term, we shall implement a security program for the applicable Silverline

SaaS Offering that is designed to comply with the Payment Card Industry Data Security Standard (PCI-DSS)

or any similar industry security standard. Upon your written request, which shall not be made more than

once in any twelve (12) month period, we shall provide you a PCI-DSS, or other similar security standard,

attestation of compliance, or similar certification of compliance, applicable to the Silverline SaaS Offerings

provided hereunder.

1.1.2.5. New Data. Certain Silverline SaaS Offerings allow you to receive data from us that we own or license from

a third party, or that we create through proprietary analysis and modeling of Customer Data alone or in

combination with other data, such as risk score, intelligence about a threat from some source other than

Customer Data, or substantiation of either of the foregoing (collectively, “New Data”). New Data does not

include Customer Data. As between you and us, we own and retain all rights, title and interest in and to

the New Data, and you may use New Data only for your lawful, internal cybersecurity analysis/auditing

purposes in accordance with this Agreement. You are responsible for proper security of any New Data

you receive. Unless prohibited by law, you will promptly inform us of any request from a third party to

exercise any purported rights with respect to the New Data.

1.1.2.6. Service Level Agreement. During the Service Term and provided that you are compliant with the

Agreement and any Service-Specific Terms, we will use commercially reasonable efforts to provide the

applicable Silverline SaaS Offerings in accordance with the Service Level Agreement.

2. Silverline DDoS Protection Service

Silverline DDoS Protection Service Operational Terms.

2.1.1. Additional Definitions. Unless otherwise defined in these Service-Specific Terms, the following definitions apply:

“Always Available” means a Silverline DDoS Protection Service where all prerequisite configuration elements

are established and you determine when to, and take action to, divert your traffic to the F5 Silverline Network

for DDoS mitigation.

“Always On” means a Silverline DDoS Protection Service where your applicable traffic protected from attack

is continuously directed to the F5 Silverline Network for DDoS monitoring and mitigation.

“Clean Bandwidth” means the 95

Percentile Calculated Bandwidth of traffic returned to, or received from,

your premises after the Silverline DDoS Protection Service mitigation methods are applied.

“Data Center” means a single physical location or a virtual construct that is used to centralize computing

resources. A data center may support multiple applications, or IP Subnets. For the Silverline DDoS Protection

Service, 4 (four) clean traffic return paths will be configured for each Customer Data Center (e.g., GRE

tunnels).

“Router Monitoring” means that we will monitor for Layer 3-4 DDoS events while your traffic is not running

through the F5 Silverline Network. Router Monitoring requires you to appropriately configure identified

routers to send flow data to us for the purpose of monitoring traffic for DDoS events. The number of your

routers configured to transmit flow data to us will determine quantity of Router Monitoring objects.

157627465.8

“VIP” means an IP address configuration provided to you by us which includes an IP address allocated by us

to process and transmit traffic to defined origin(s) within your Data Center. The VIPs are used in a proxy

deployment to enable communication from the Internet to us and then to your application within your Data

Center.

2.1.2. Excessive Use. For the purpose of this Service-Specific Term, “Excessive Use” means your usage of the Silverline

DDoS Protection Service in (a) excess of the Clean Bandwidth as measured by 95

Percentile Calculated

Bandwidth; or (b) your configuration of Router Monitoring or Data Centers (e.g., GRE Tunnels) exceeds the

quantities defined in the applicable Order.

2.1.3. Additional Disclaimers and Limitations. SILVERLINE DDOS PROTECTION SERVICES PROVIDE PROTECTION ONLY

IN ACCORDANCE WITH THE SPECIFICATIONS ASSOCIATED WITH THE APPLICABLE SILVERLINE DDOS PROTECTION

SERVICE, SUBJECT TO YOUR ORDERING AND PAYING APPLICABLE FEES FOR SUCH SAAS OFFERINGS IN

ACCORDANCE WITH THE APPLICABLE PAYMENT TERMS, INCLUDING SPECIFICATIONS ON CLEAN BANDWIDTH,

NUMBER OF DATA CENTERS, NUMBER OF VIPS, ROUTER MONITORING QUANTITY AND WHETHER SUCH

SERVICES ARE ALWAYS ON OR ALWAYS AVAILABLE.

3. Silverline Shape Defense Service

Silverline Shape Defense Operational Terms.

3.1.1. Additional Definitions. Unless otherwise defined in these Service-Specific Terms, the following definitions apply:

“Authorized Website(s)” means the Customer’s website(s) hosted on the FQDN being monitored by the SaaS

Offerings.

“Authorized Mobile Application(s)” means the Customer’s mobile application(s) hosted on or communicating

with the FQDN being monitored by the SaaS Offerings.

“Client-Side Code” means any code, program or other software provided by F5 to Customer, such as Java

Script software and SDKs, that Customer may deploy on Authorized Websites or Authorized Mobile

Application(s) to collect or generate Threat Data.

“FQDN” means a fully-qualified domain name which, by means of a domain name system (DNS), points to a

single canonical name (CNAME), a single IP address, or a single pool of distributed IP addresses.

“Threat Data” means, individually and collectively, indications of compromise, telemetry, behavioral

information, device information, network information, data relating to attacks and attack tools, attack

credentials and other information relating to the provision, use and performance of various aspects of the

Silverline Shape Defense Service and any related services, systems and technologies, including any numeric

or logical values generated by the Silverline Shape Defense Service and any contextual information associated

with any such values (e.g., any description or the meaning of any such values). Threat Data does not include

information that identifies a natural person.

3.1.2. Excessive Use. For purposes of this Service-Specific Term, “Excessive Use” means your usage of the Silverline

Shape Defense Service (a) in excess of the bandwidth provided for in the applicable Order, as measured by us

where use shall be excessive if either (i) the 95

Percentile Calculated Bandwidth exceeds the applicable tier

defined in the Order; or (ii) you are targeted by a sustained DDoS attack whereby your application consumes

more than one DDoS attack that exceeds a peak of 1.5 Gbps of attack traffic during any twelve (12) month period,

unless you have an effective subscription to Silverline DDoS Protection SaaS Offerings covering such attack or (b)

where you have provisioned a quantity of FQDNs for protection via the Silverline Shape Defense Service greater

than the defined amount of FQDNs in the Order. You acknowledge and agree that our obligations are limited to

providing the Silverline Shape Defense SaaS Offerings in the quantiles identified in the Order(s) for the active

Service Term(s).

3.1.3. Grant of Right. Subject to the terms and conditions of the Agreement, any applicable Orders, and the Service

Policies, we grant you a limited, non-exclusive, non-transferable, non-sublicensable license during the Service

Term to:

157627465.8

3.1.3.1. install and execute the Client-Side Code solely on the Authorized Website(s) and Authorized Mobile

Application(s), for the sole purpose of collecting and generating Threat Data and transmitting the Threat

Data to the Silverline Shape Defense Service; and

3.1.3.2. if an Order grants you the current right to access and use the Silverline Shape Defense Service: (a) obtain

the New Data (defined below) from the Silverline Shape Defense Service; (b) internally use the New Data

solely to determine whether fraudulent activities are occurring on the Authorized Website(s) or

Authorized Mobile Application(s); and (c) have only those employees of Customer who are principally

responsible for fraud detection access any such New Data solely for the purposes of exercising the rights

granted in Section 3.1.3.2(b) of these Service-Specific Terms; and, in each case solely for Customers’

internal business purposes.

3.1.4. Additional Terms Applicable to Data.

3.1.4.1. Threat Data. Notwithstanding anything to the contrary set forth in the Agreement, we will have the right

to collect, generate and analyze Threat Data, and we own and retain all right, title and interest worldwide

in and to the Threat Data, and all intellectual property rights therein or related thereto. Threat Data does

not include Customer Data.

3.1.4.2. New Data. Certain of the SaaS Offerings allow you to receive data from us that we own or license from a

third party, or that we create through proprietary analysis and modeling of Threat Data and/or Customer

Data alone or in combination with other data, such a risk score, intelligence about a threat from some

source other than Customer Data, or substantiation of any of the foregoing (the “New Data”). New Data

does not include Customer Data.

3.1.4.3. Ownership of and Restrictions on use of Data. As between you and us, we own and retain all rights, title

and interest in and to the New Data, and Threat Data, and you hereby assign to us any right, title and

interest you may have or acquire in any New Data and Threat Data. New Data, and Threat Data are F5’s

Confidential Information. You will use New Data only for your lawful, internal cybersecurity

analysis/auditing purposes in accordance with this Agreement. You are responsible for proper security

of any New Data you receive or possess. Unless prohibited by law, you will promptly inform us of any

request from a third party to exercise any purported rights with respect to the New Data.

3.1.4.4. Obligations on Termination. Upon expiration of the Service Term, you will immediately: (i) discontinue

use of the New Data; (ii) return to F5, or at F5’s written request destroy, all tangible materials containing,

reflecting, or incorporating the New Data or any Documentation pertaining thereto; (iii) permanently

erase all electronic versions of the foregoing materials from all systems you directly or indirectly control;

and (iv) execute and deliver to F5, upon request, written certification of your compliance with the

foregoing.

3.1.5. Restrictions. Customer will not (and will not authorize or permit any third party to): (a) attempt to reverse

engineer the New Data or Threat Data or any portion thereof, or otherwise attempt to derive any processes,

techniques, methods, specifications, protocols, algorithms, interfaces, data structures, or other information

used to collect or generate any New Data or Threat Data; (b) rent, lease, lend, sell, sublicense, assign, distribute,

publish, transfer or otherwise make available any New Data, Threat Data, or Documentation pertaining thereto,

or any portion thereof, to any third party, including on or in connection with the Internet or any time-sharing,

service bureau, software as a service, cloud or other technology or service or otherwise use any New Data other

than as expressly allowed under these Service-Specific Terms; (c) use the New Data or the Documentation

pertaining thereto (or any information obtained or derived from the New Data or such Documentation) for the

development, provision or use of a competing service or product; (d) externally disclose benchmarking or

competitive analysis of any of the New Data or Documentation pertaining thereto; (e) use the New Data in

violation of any applicable law or regulation; or (f) allow any person (other than its employees who are principally

responsible for fraud detection for the Authorized Website(s) or Authorized Mobile Application(s)) to access or

use the New Data or any Documentation pertaining thereto, or any information obtained or derived therefrom.

3.1.6. Service Tier Descriptions.

3.1.6.1. Silverline Shape Defense SaaS Offerings. Silverline Shape Defense SaaS Offerings include:

157627465.8

(a) SOC support by phone, chat and email to maintain security policies in support of your

covered FQDN(s), including onboarding and configuration of the Silverline Shape Defense

Service.

(b) Periodic review of automated threats reported by the Silverline Shape Defense Service

against your covered FQDN(s).

positive reviews.

3.1.7. Additional Disclaimers and Limitations. SILVERLINE SHAPE DEFENSE SERVICES PROVIDE PROTECTION FOR ONLY

FQDN(S) ASSOCIATED WITH THE APPLICABLE SERVICES CONTRACTUALLY ASSOCIATED WITH THE SILVERLINE

SHAPE DEFENSE SERVICES ON THE APPLICABLE ORDER(S).

3.1.8. Notwithstanding anything to the contrary in the Agreement, liabilities and damages arising out of the following

will not be subject to any limitations on liability in the Agreement: Customer’s unauthorized use of the Silverline

Shape Defense Service, Threat Data, or New Data (including without limitation the exercise of rights in excess of

the license grants in Section 3.1.3 of these Service-Specific Terms), or Customer’s breach of any of its obligations

in Sections 3.1.4.4, or 3.1.5 of these Service-Specific Terms.

4. Silverline Web Application Firewall Service

Silverline Web Application Firewall Operational Terms.

4.1.1. Additional Definitions. Unless otherwise defined in these Service-Specific Terms, the following definitions apply:

“FQDN” means a fully-qualified domain name which, by means of a domain name system (DNS), points to a

single canonical name (CNAME), a single IP address, or a single pool of distributed IP addresses.

4.1.2. Excessive Use. For purposes of this Service-Specific Term, “Excessive Use” means your usage of the Silverline

Web Application Firewall Service (a) in excess of the bandwidth provided for in the applicable Order, as

measured by us where use shall be excessive if either (i) the 95

Percentile Calculated Bandwidth exceeds the

applicable tier defined in the Order; or (ii) you are targeted by a sustained DDoS attack whereby your application

consumes more than one DDoS attack that exceeds a peak of 1.5 Gbps of attack traffic during any twelve (12)

month period, unless you have an effective subscription to Silverline DDoS Protection SaaS Offerings covering

such attack or (b) where you have provisioned a quantity of FQDNs for protection via the Silverline Web

Application Firewall Service greater than the defined amount of FQDNs in the Order. You acknowledge and agree

that our obligations are limited to providing the Silverline Web Application Firewall SaaS Offerings in the

quantiles identified in the Order(s) for the active Service Term(s).

4.1.3. Silverline Managed Services. Only the following section applies only to Silverline’s Managed Services offering:

4.1.3.1. Silverline Managed Web Application Firewall SaaS Offerings. Silverline Managed Web Application

Firewall SaaS Offerings include:

(d) SOC support by phone, chat and email to maintain security policies in support of your

covered FQDN(s), including periodic tuning of security policies in accordance with the

results of vulnerability assessments as performed against your covered FQDN(s).

(e) Detailed analysis of your web application firewall violation logs for the purpose of tuning

the security policies.

(f) Vulnerability assessment data imported from a third party or sources provided by you.

(g) Reporting on web application firewall violation data.

(h) Upon yours request, the SOC may also engage with you for web application firewall

violation false positive reviews.

4.1.4. Additional Disclaimers and Limitations. SILVERLINE WEB APPLICATION FIREWALL SERVICES PROVIDE

PROTECTION FOR ONLY FQDN(S) ASSOCIATED WITH THE APPLICABLE SERVICES CONTRACTUALLY ASSOCIATED

WITH THE SILVERLINE WEB APPLICATION FIREWALL SERVICE ON THE APPLICABLE ORDER(S). IN THE EVENT THAT

YOU QUALIFY FOR, PURSUANT TO OUR ELIGIBILITY CRITERIA AS MAY BE CHANGED FROM TIME TO TIME IN OUR

SOLE DISCRETION, AND ELECT TO EXPORT YOUR WEB APPLICATION FIREWALL POLICIES (“WAF POLICIES”) FROM

157627465.8

THE SILVERLINE WEB APPLICATION FIREWALL SERVICES FOR USE IN CONNECTION WITH YOUR SEPARATELY

LICENSED F5 APPLICATION SECURITY MANAGER SOFTWARE (“WAF POLICY EXPORT”), YOU ACKNOWLEDGE AND

AGREE THAT SUCH EXPORT AND USE OF THE WAF POLICIES ARE AT YOUR SOLE RISK. WE HEREBY DISCLAIM ALL

LIABILITY, EXPRESS OR IMPLIED, IN CONNECTION WITH YOUR WAF POLICY EXPORT, INCLUDING, BUT NOT

LIMITED TO, ANY WARRANTIES AGAINST INFRINGEMENT OF THIRD-PARTY RIGHTS, MERCHANTABILITY AND

FITNESS FOR A PARTICULAR PURPOSE (INCLUDING, WITHOUT LIMITATION, DETECTION OF DISTRIBUTED DENIAL

OF SERVICE ATTACKS). YOU ACKNOWLEDGE AND AGREE THAT WE HAVE NO OBLIGATION TO PROVIDE SUPPORT

TO YOU IN CONNECTION WITH SUCH WAF POLICY EXPORT.

5. Silverline Data Protection Terms

DPA.

The DPA applies to personal data (as defined under the General Data Protection Regulation (Regulation (EU) 2016/679)

(“GDPR”)) that we process as part of the Silverline SaaS Offerings as detailed below.

Processing Details and Security.

For details regarding the processing for the Silverline SaaS Offerings please refer to the DPA and Schedule A below. For

a description of the technical and organizational security measures for the Silverline SaaS Offerings, please refer to

Schedule B below.

157627465.8

Schedule A - Silverline SaaS Offerings

DETAILS OF THE DATA PROCESSING

Details relevant to Annex I(B) of the 2021 Standard Contractual Clauses

Subject Matter, Nature and Purpose of Processing, and details of processing operations: Provision of the Silverline SaaS Offerings,

as described herein.

Term/Duration of Processing: As set forth in the Agreement.

Categories of Data Subjects: Visitors to your Internet-facing websites and mobile applications protected by the Silverline SaaS

Offerings

Categories of Data for DDoS, WAF, Shape Defense:

Internet Protocol (IP) addresses and network traffic data; information from interactions between the user (and their

browser or device) and the online property; and other technical data about the browser or device that may be used to

screen for malicious activity; Silverline Shape Defense Service identifiers (pseudo-randomly generated values).In

addition to IP addresses, Shape Defense also processes pseudo-randomly generated values stored in a first-party

cookies.

Special Categories of Data (if any): Not applicable, unless incidentally present in the traffic data that the service analyses

for malicious activity. Even if such data were to be present, the SaaS Offering does not use the special aspects of the

personal data for any purpose. For example, if the traffic data to be analyzed for malicious activity somehow reflected

an identifiable individual’s philosophical belief, the SaaS Offering would not track this belief or take it into consideration.

Additional details relevant to Annex 1(B) of the 2021 Standard Contractual Clauses

Applied safeguards and restrictions specific to any special categories of data: The same high standard of protection described

in these Service-Specific Terms and the DPA applies to this and other categories of personal data.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Continuous

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Logs of exceptions (i.e., blocking or flagging events) are retained for 12 months.

Schedule B - Silverline SaaS Offerings

TECHNICAL AND ORGANISATION SECURITY MEASURES

Annex II of the 2021 Standard Contractual Clauses

F5’s Silverline Data Centers – including those at Singapore and Frankfurt, Germany – maintain, and keep current, substantive

compliance with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS demands the following key controls:

Network configuration security

Elimination of all default system passwords and other security parameters on all systems used to host or process personal data.

Encrypted transmission of all Personal Data in transit

Functional and regularly updated anti-virus controls on all systems used to host or process Personal Data.

Exclusive use of unique, traceable system IDs on all systems used to host or process Personal Data

Controls to restrict physical access controls to all systems used to host or process Personal Data

Logging and monitoring of all access to Personal Data and systems hosting Personal Data

Regular testing of all security controls

Creation and maintenance of an information security policy, and communication of this policy to all personnel who have access

to Personal Data at the F5 Data Centre

Additionally, F5 Silverline production systems maintain strict isolation from the remainder of the F5 environment.

157627465.8

Access control to premises and facilities

Technical and organizational measures to control access to premises and facilities, particularly to check authorization, for

example:

Access control systems: ID reader; magnetic card; chip card

(Issue of) keys

Door locking (electric door openers etc.)

Security staff

Surveillance facilities: Alarm system; CCTV monitor

Access control to systems

Technical (ID/password security) and organizational (user master data) measures for user identification and authentication, for

example:

Password procedures: special characters; minimum length; change of password

Automatic blocking: password; timeout

Creation of one master record per user

Encryption of media

Access control to data

Requirements driven definition of the authorization scheme and access rights and logging and monitoring of access, for example:

Differentiated access rights: profiles; roles; transactions and objectives

Reports

Access logs

Change logs

Deletion logs

Disclosure control

Measures to transport, transmit and communicate or store data on media (manual or electronic) and for subsequent checking,

for example:

Encryption / Tunneling: VPN

Electronic signature

Logging

Transport security

Input control

Measures for subsequent checking whether data have been entered, change or removed and by whom, for example:

Logging and reporting systems

Job control

Technical and organizational measures to segregate the responsibilities between the controller and the processor, for example:

Unambiguous contract wording

157627465.8

Formal commissioning of processing

Criteria for selecting the processor

Monitoring of contract performance

Availability control

Measures to assure data security (physical/logical), for example:

Backup procedures

High-Availability storage configurations

Mirroring of hard disks (e.g., RAID technology)

Uninterruptable power supply

Remote storage

Anti-virus

Firewall

Disaster recovery plan

Segregation control

Measures to provide for separate processing (storage, amendment, deletion, transmission) of data for different purposes, for

example:

“Internal client” concept / limitation of use

Segregation of functions (development/testing/production)

We may replace or modify the measures described above so long as the overall security of the F5 Silverline SaaS Offerings is not

materially lowered during a subscription term. Subprocessors may maintain commercially reasonable security through measures

that may differ from those set forth above.

157627465.8

6. NGINX One

6.1. Operational Terms.

6.1.1. Through your subscription to the NGINX One SaaS Offering, you will be provided with (a) the ability to configure

your NGINX software product(s) (“NGINX Software”) via the Customer Dashboard, and (b) limited access to

certain SaaS Offerings as reflected in your Order. While your use of such SaaS Offerings is governed by the

Agreement, your use of the NGINX Software is governed by the End User License Agreement located at

https://www.f5.com/pdf/customer-support/end-user-license-agreement.pdf or such other signed agreement

containing applicable end user license terms for use of the NGINX Software (“EULA”).

6.1.2. Service Level Agreement. Neither the NGINX Software nor the functionality of the Customer Dashboard which

enables you to configure your NGINX Software is subject to the Service Level Agreement or any other service

levels under the Agreement.

6.2. Data Protection Terms

6.2.1. DPA. The DPA applies to personal data (as defined under the General Data Protection Regulation (Regulation

(EU) 2016/679) (“GDPR”)) that we process as part of the NGINX One SaaS Offering, as detailed below.

6.2.2. Processing Details and Security. For details regarding the processing for NGINX One SaaS Offering, please refer

to the DPA and Schedule A below. For a description of the technical and organizational security measures for

the NGINX One SaaS Offering, please refer to Schedule B below.

Schedule A – NGINX One

DETAILS OF THE DATA PROCESSING

Details relevant to Annex I(B) of the 2021 Standard Contractual Clauses

Subject Matter, Nature and Purpose of Processing, and details of processing operations: Configuring the NGINX Software, as

described herein.

Term/Duration of Processing: As set forth in the EUSA.

Categories of Data Subjects: Those identified by IP address or otherwise if included in configuration files.

Categories of Data: [Internet Protocol (IP) addresses and any other personal information stored in configuration files, if any.

Special Categories of Data (if any): Not applicable.

Applied safeguards and restrictions specific to any special categories of data: Not applicable.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Continuous.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal data is retained during the license term. The data will be removed after termination, subject to a reasonable period of

retention of copies made for backup and business continuity purposes.

Schedule B – NGINX One

TECHNICAL AND ORGANISATION SECURITY MEASURES

Annex II of the 2021 Standard Contractual Clauses

We will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of

your Personal Data, as described in the controls included in the following:

157627465.8

Service Organization Control 2 Report designed to meet the applicable criteria for the security, availability and confidentiality

principles set forth in TSP Section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity,

Confidentiality, and Privacy by the American Institute of Certified Public Accountants.

The applicable requirements of the Payment Card Industry – Data Security Standard version 4.0.

We may replace or modify the measures described above so long as the overall security of the NGINX One service is not materially

lowered during a subscription term.

Subprocessors will maintain commercially reasonable security through measures that may differ from those set forth above.

157627465.8

7. Terms Applicable to the following SaaS Offerings (collectively “BRM SaaS Offerings”): Distributed Cloud Authentication

Intelligence; Distributed Cloud Aggregator Management; Distributed Cloud Client-Side Defense; Application Traffic

Insight; Distributed Cloud Account Protection; Distributed Cloud Bot Defense (Managed Service); and Distributed Cloud

Data Intelligence

Operational Terms.

7.1.1. Additional Definitions. Unless otherwise defined in these Service-Specific Terms, the following definitions apply:

“Appliance” means a hardware device onto which we have pre-installed Software components of the SaaS

Offerings to which you subscribe under an Order.

“Authorized Website(s)” means the Customer’s website(s) being monitored by the SaaS Offerings.

“Authorized Mobile Application(s)” means the Customer’s mobile application(s) being monitored by the SaaS

Offerings.

“Client-Side Code” means any code, program or other software provided by F5 to Customer, such as Java

Script software and SDKs, that Customer may deploy on Authorized Websites or Authorized Mobile

Applications to collect or generate Threat Data.

“Derived Data” means any learnings, algorithms, know-how or other data or information derived from or any

improvements to the Threat Data and any intellectual property rights therein, in each case, developed or

created by or for you.

“Licensed Threat Data” means that subset of the Threat Data that Customer is authorized to receive from

F5 in connection with Customer’s subscription to the Distributed Cloud Data Intelligence SaaS Offerings as

permitted by the applicable Order.

“Threat Data” means, individually and collectively, indications of compromise, telemetry, behavioral

information, device information, network information, data relating to attacks and attack tools, attack

credentials and other information relating to the provision, use and performance of various aspects of the

SaaS Offerings and any Software and related services, systems and technologies, including any numeric or

logical values generated by the SaaS Offerings and any contextual information associated with any such values

(e.g., any description or the meaning of any such values). Threat Data does not include information that

identifies a natural person.

“Transaction” means, as measured by F5’s systems: (i) for Distributed Cloud Bot Defense (Managed Service)

and Distributed Cloud Aggregator Management, any interaction with F5 systems, for example as part of the

transaction (for account takeover use case), and (b) an application/account creation transaction (for fake

account opening); (iii) for Distributed Cloud Authentication Intelligence, a login POST Transaction; (iv) for

Distributed Cloud Client-Side Defense, each distinct page view of an Authorized Website (i.e. a website on

which Client-Side Defense JavaScript is injected); and (v) for Distributed Cloud Data Intelligence, any POST

event (e.g., login, forgot password, payment, address change, create account).

7.1.2. Grant of Right. Subject to the terms and conditions of the Agreement, any applicable Orders, and the Service

Policies, we grant you a limited, non-exclusive, non-transferable, non-sublicensable license during the Service

Term to:

7.1.2.1. install and execute the Client-Side Code solely on the Authorized Website(s) and Authorized Mobile

Application(s), for the sole purpose of collecting and generating Threat Data and transmitting the Threat

Data to the SaaS Offerings; and

7.1.2.2. if an Order grants you the current right to access and use the Distributed Cloud Data Intelligence SaaS

Offerings: (a) obtain the Licensed Threat Data and New Data (defined below) from the Distributed Cloud

Data Intelligence SaaS Offerings; (b) internally use the Licensed Threat Data, New Data, and any Derived

Data that is based on such Licensed Threat Data solely to determine whether fraudulent activities are

occurring on the Authorized Websites or Authorized Mobile Applications; and (c) have only those

157627465.8

employees of Customer who are principally responsible for fraud detection access any such New Data,

Derived Data and Licensed Threat Data (and any Documentation pertaining thereto) solely for the

purposes of exercising the rights granted in Section 11.1.2.2(b) of these Service-Specific Terms; and, in

each case solely for Customers’ internal business purposes.

7.1.3. Customer Responsibility. You acknowledge and agree that you remain responsible for the security of the data

being analyzed by the SaaS Offerings. If using the Application Traffic Insight (“ATI”) functionality of the SaaS

Offerings, you acknowledge and agree that a device identifier is not guaranteed to be unique, and F5 disclaims

all liability under this Agreement in connection with your use of the ATI functionality. You will promptly inform

us of any material Derived Data.

7.1.4. Additional Terms Applicable to Data.

7.1.4.1. Threat Data. Notwithstanding anything to the contrary set forth in the Agreement, we will have the right

to collect, generate and analyze Threat Data, and we own and retain all right, title and interest worldwide

in and to the Threat Data, and all intellectual property rights therein or related thereto. Threat Data does

not include Customer Data.

7.1.4.2. New Data. Certain of the SaaS Offerings allow you to receive data from us that we own or license from a

third party, or that we create through proprietary analysis and modeling of Threat Data and/or Customer

Data alone or in combination with other data, such a risk score, intelligence about a threat from some

source other than Customer Data, or substantiation of any of the foregoing (the “New Data”). New Data

does not include Customer Data.

7.1.4.3. Ownership of and Restrictions on use of Data. As between you and us, we own and retain all rights, title

and interest in and to the New Data, Threat Data, and Derived Data, and you hereby assign to us any right,

title and interest you may have or acquire in any New Data, Threat Data and Derived Data. New Data,

Threat Data and Derived Data are F5’s Confidential Information. You will use New Data, Licensed Threat

Data, and Derived Data only for your lawful, internal cybersecurity analysis/auditing purposes in

accordance with this Agreement. You are responsible for proper security of any New Data, Licensed

Threat Data, and Derived Data you receive or possess. Unless prohibited by law, you will promptly inform

us of any request from a third party to exercise any purported rights with respect to the New Data, Threat

Data, or Derived Data.

7.1.4.4. Obligations on Termination. Upon expiration of the Service Term, you will immediately: (i) discontinue

use of the New Data, Licensed Threat Data and Derived Data and any Documentation pertaining thereto;

(ii) return to F5, or at F5’s written request destroy, all tangible materials containing, reflecting, or

incorporating the New Data, Licensed Threat Data or Derived Data or any Documentation pertaining

thereto; (iii) permanently erase all electronic versions of the foregoing materials from all systems you

directly or indirectly control; and (iv) execute and deliver to F5, upon request, written certification of your

compliance with the foregoing.

7.1.5. Demonstration License. In addition to the rights you grant to us to use the Customer Data in the Agreement,

you hereby grant us the right and license to use the Customer Data to demonstrate to you features and

functionality of additional products and services offered by us.

7.1.6. Covenant. Customer, on behalf of itself, its affiliates, and their successors and assigns, hereby irrevocably

covenants in perpetuity not to sue F5, its affiliates, their successors and assigns, direct or indirect customers,

users, licensees, service providers, distributors, retailers, or direct and indirect suppliers (collectively, “Released

Parties”) for infringement of any now existing or hereafter acquired patents with respect to the SaaS Offerings

(or any software, services, products now existing or hereafter developed that is similar to, a replacement for or

contains any functionality of any of the foregoing that is made, used, sold, offered for sale, imported or otherwise

exploited by any of the Released Parties).

7.1.7. Service Level Agreement. During the Service Term and provided that you are compliant with the Agreement and

any Service-Specific Terms, we will use commercially reasonable efforts to provide the applicable SaaS Offerings

in accordance with the Service Level Agreement. The terms of this Section 11.1.7 apply solely where your access

to the SaaS Offerings will be remote (i.e., all software is hosted by us on our own servers or by our third party

157627465.8

hosting services providers) and not where you have installed Software on physical servers or virtual machines

owned or operated by you, or where your access is via Appliances delivered by us to you.

7.1.8. Appliances. If your access to the SaaS Offerings involves Appliances, you may order Appliances from us by

submitting an Order to us. Each such Order will include, at a minimum, (i) Appliance unit quantity; (ii) shipping

destination; (iii) delivery date; and (iv) other instructions or requirements pertinent to the Order. To facilitate

our production schedule, all such Orders will be submitted at least 10 business days in advance of the scheduled

shipping date. For the sake of convenience only, you may use your standard purchase order form for all such

Orders; provided, however, that the Agreement will exclusively govern and control the ordering of Appliances

from us and the use of the Software installed thereon, and any additional or contradictory terms and conditions

contained on any standard purchase order form of yours will be of no effect. We will use commercially

reasonable efforts to ship Appliances on or before the delivery date specified in the applicable Order (the

“Delivery Date”). If we cannot ship Appliances by the Delivery Date, we will (i) notify you of the delay as soon as

practicable; and (ii) ship the Appliances as soon as practicable. All shipments of Appliances to you will be EXW

our shipping site (Incoterms 2010). You will be responsible for all costs associated with shipping, handling, and

delivery.

7.1.9. Restrictions. Customer will not (and will not authorize or permit any third party to): (a) attempt to reverse

engineer the New Data or Threat Data or any portion thereof, or otherwise attempt to derive any processes,

techniques, methods, specifications, protocols, algorithms, interfaces, data structures, or other information

used to collect or generate any New Data or Threat Data; (b) copy, modify or otherwise prepare derivative works

of any Documentation pertaining to any of the Threat Data ; (c) rent, lease, lend, sell, sublicense, assign,

distribute, publish, transfer or otherwise make available any New Data, Threat Data, or Derived Data, or

Documentation pertaining thereto, or any portion thereof, to any third party, including on or in connection with

the Internet or any time-sharing, service bureau, software as a service, cloud or other technology or service or

otherwise use any New Data, Threat Data, or Derived Data, or Documentation pertaining thereto other than as

expressly allowed under these Service-Specific Terms (d) use the New Data, Threat Data, or Derived Data, or

any Documentation pertaining thereto (or any information obtained or derived from any of the foregoing) for

the development, provision or use of a competing service or product; (e) externally disclose benchmarking or

competitive analysis of any of the New Data, Threat Data, or Derived Data, or Documentation pertaining thereto;

(f) use the New Data, Threat Data or Derived Data in violation of any applicable law or regulation or (g) allow any

person (other than its employees who are principally responsible for fraud detection for the Authorized Websites

and Authorized Mobile Applications) to access or use the New Data, Threat Data, or Derived Data, or any

Documentation pertaining thereto, or any information obtained or derived therefrom.

7.1.10. Notwithstanding anything to the contrary in the Agreement, liabilities and damages arising out of the following

will not be subject to any limitations on liability in the Agreement: Customer’s unauthorized use of any of the

Distributed Cloud Data Intelligence SaaS Offerings, Threat Data, Licensed Threat Data, Derived Data, or New Data

(including without limitation the exercise of rights in excess of the license grants in Section 7.1.2 of these Service-

Specific Terms), or Customer’s breach of any of its obligations in Sections 7.1.3, 7.1.4.4, or 7.1.9 of these Service-

Specific Terms.

Data Protection Terms

7.1.11. DPA. The DPA applies to personal data (as defined under the General Data Protection Regulation (Regulation

(EU) 2016/679) (“GDPR”)) that we process as part of the SaaS Offerings as detailed below.

7.1.12. Processing Details and Security. For details regarding the processing for the SaaS Offerings please refer to the

DPA and Schedule A below. For a description of the technical and organizational security measures for the SaaS

Offerings, please refer to Schedule B below.

157627465.8

Schedule A – BRM SaaS Offerings

DETAILS OF THE DATA PROCESSING

Details relevant to Annex I(B) of the 2021 Standard Contractual Clauses

Applied safeguards and restrictions specific to any special categories of data: Not applicable.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Continuous

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal data is retained during the subscription term. The data will be removed after termination, subject to a reasonable

period of retention of copies made for backup and business continuity purposes.

* You may tailor the categories of personal data for the applicable SaaS Offering and change it over time, so the listed data

elements may not reflect a comprehensive list of categories of data at all times. A comprehensive listing of categories of data

will be provided via the dashboard accessible within your Account through the Portal, or otherwise made available to you by us

upon request.

Distributed Cloud Bot Defence (Managed Service) & Distributed Cloud Aggregator Management

Subject matter, nature and purpose of processing, and details of processing operations: This SaaS Offering assesses the

security/fraud risk of interactions with your online properties. It can be configured to block or simply flag suspected security/fraud

risks.

Term/Duration of Processing: As set forth in the Agreement.

Categories of Data Subjects: Individuals who interact with your protected web and/or mobile properties.

*Categories of Data: Internet Protocol (IP) addresses, Android IDs, data about the interactions between the user (and their

browser or device) and the online property; and other technical data about the browser or device that may be used to screen for

malicious content, which may be collected through JavaScript, mobile software development kits (SDKs) and other technical

means.

Special Categories of Data (if any): Not applicable.

Application Traffic Insight

Subject matter, nature and purpose of processing, and details of processing operations: This SaaS Offering assigns unique

identifiers to devices that visit your online properties.

Term/Duration of Processing: As set forth in the Agreement.

Categories of Data Subjects: Individuals who interact with your protected web and/or mobile properties.

*Categories of Data: Internet Protocol (IP) addresses, fuzzy Identifiers (generated from IP addresses, User Agent strings, and

select telemetry data), device identifiers (pseudo-randomly generated values), data about the user’s browser or device, and data

about the user’s interaction with the browser or device, which may be collected through JavaScript and other technical means.

Special Categories of Data (if any): Not applicable.

Distributed Cloud Authentication Intelligence

Subject matter, nature and purpose of processing, and details of processing operations: This SaaS Offering helps identify

returning, known users of your online property to avoid unnecessary requirements that they re-authenticate themselves.

Term/Duration of Processing: As set forth in the Agreement.

Categories of Data Subjects: Individuals who interact with your protected web and/or mobile properties.

*Categories of Data: Internet Protocol (IP) addresses, Fuzzy Identifiers (generated from IP addresses, User Agent strings, and

select telemetry data), device identifiers (pseudo-randomly generated values), Account identifier (i.e., usernames, hashed

157627465.8

usernames), technical data about the user’s browser or device, and data about the user’s interaction with the browser or device,

which may be collected through JavaScript and other technical means.

Special Categories of Data (if any): Not applicable.

Distributed Cloud Account Protection & Distributed Cloud Data Intelligence

Subject matter, nature and purpose of processing, and details of processing operations: This SaaS Offering provides a converged

solution for application security and fraud mitigation.

Categories of Data Subjects: Individuals who interact with your protected web and/or mobile properties.

*Categories of Data: Internet Protocol (IP) addresses, Account identifier (i.e., usernames, hashed usernames), technical data

about the user’s browser or device, and data about the user’s interaction with the browser or device, which may be collected

through JavaScript and other technical means.

Special Categories of Data (if any): Not applicable.

Distributed Cloud Client-Side Defense

Subject matter, nature and purpose of processing, and details of processing operations: This SaaS Offering identifies malicious

assets that may exfiltrate Customer’s data.

Term/Duration of Processing: As set forth in the Agreement.

Categories of Data Subjects: Individuals who interact with your Authorized Website(s).

Categories of Data: Internet Protocol (IP) addresses, information regarding how assets of a webpage, such as JavaScript assets,

are interacting with objects in a webpage and/or sending data to different end-points.

Special Categories of Data (if any): Not applicable.

Schedule B – BRM SaaS Offerings

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Annex II of the 2021 Standard Contractual Clauses

We will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of

your Personal Data, as described in the controls included in the following:

Service Organization Control 2 Report designed to meet the applicable criteria for the security, availability and confidentiality

principles set forth in TSP Section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity,

Confidentiality, and Privacy by the American Institute of Certified Public Accountants.

An Attestation of Compliance Report demonstrating compliance with applicable requirements of the Payment Card Industry

– Data Security Standard version 4.0.

We may replace or modify the measures described above so long as the overall security of the SaaS Offerings is not materially

lowered during a subscription term.

Subprocessors will maintain commercially reasonable security through measures that may differ from those set forth above.

157627465.8

8. Terms Applicable to the following SaaS Offerings: Distributed Cloud Bot Defense (Self Service)

Operational Terms.

8.1.1. Additional Definitions.

“Distributed Cloud Bot Defense (Self Service) Service” means the automated threat protection service

delivered through an API.

“Client-Side Code” means any code, program or other software provided by F5 to Customer, such as Java

Script software and SDKs, that Customer may deploy on a Covered Application to collect or generate Threat

Data.

“Covered Application” means an application that has been enabled to make use of the Distributed Cloud Bot

Defense (Self Service) Service by collecting and sending client telemetry data to the Distributed Cloud Bot

Defense (Self Service) Service by means of an API call.

“Excessive Use” means your usage of the Distributed Cloud Bot Defense (Self Service) Service in excess of the

applicable Usage Metrics, as measured by us.

“Threat Data” means, individually and collectively, indications of compromise, telemetry, behavioral

information, device information, network information, data relating to attacks and attack tools, attack

credentials and other information relating to the provision, use and performance of various aspects of the

Distributed Cloud Bot Defense (Self Service) Service and any related services, systems and technologies,

including any numeric or logical values generated by the Distributed Cloud Bot Defense (Self Service) Service

and any contextual information associated with any such values (e.g., any description or the meaning of any

such values). Threat Data does not include information that identifies a natural person.

“Transaction” means any interaction with F5 systems, for example as part of the login flow sending signals

back to F5 systems.

“SOC” means the F5 security operations center.

8.1.2. Grant of Right. Subject to the terms and conditions of the Agreement, any applicable Orders, and the Service

Policies, we grant you a limited, non-exclusive, non-transferable, non-sublicensable license during the Service

Term to:

8.1.2.1. install and execute the Client-Side Code solely on a Covered Application, for the sole purpose of collecting

and generating Threat Data and transmitting the Threat Data to the Distributed Cloud Bot Defense (Self

Service) Service; and

8.1.2.2. if an Order grants you the current right to access and use the Distributed Cloud Bot Defense (Self Service)

Service: (a) obtain the New Data (defined below) from the Distributed Cloud Bot Defense (Self Service)

Service; (b) internally use the New Data solely to determine whether fraudulent activities are occurring

on a Covered Application; and (c) have only those employees of Customer who are principally responsible

for fraud detection access any such New Data solely for the purposes of exercising the rights granted in

Section 12.1.2.2(b) of these Service-Specific Terms; and, in each case solely for Customers’ internal

business purposes.

8.1.3. Additional Terms Applicable to Data.

8.1.3.1. Threat Data. Notwithstanding anything to the contrary set forth in the Agreement, we will have the right

to collect, generate and analyze Threat Data, and we own and retain all right, title and interest worldwide

in and to the Threat Data, and all intellectual property rights therein or related thereto. Threat Data does

not include Customer Data.

8.1.3.2. New Data. Certain of the SaaS Offerings allow you to receive data from us that we own or license from a

third party, or that we create through proprietary analysis and modeling of Threat Data and/or Customer

Data alone or in combination with other data, such a risk score, intelligence about a threat from some

source other than Customer Data, or substantiation of any of the foregoing (the “New Data”). New Data

does not include Customer Data.

157627465.8

8.1.3.3. Ownership of and Restrictions on use of Data. As between you and us, we own and retain all rights, title

and interest in and to the New Data, and Threat Data, and you hereby assign to us any right, title and

interest you may have or acquire in any New Data and Threat Data. New Data, and Threat Data are F5’s

Confidential Information. You will use New Data only for your lawful, internal cybersecurity

analysis/auditing purposes in accordance with this Agreement. You are responsible for proper security

of any New Data you receive or possess. Unless prohibited by law, you will promptly inform us of any

request from a third party to exercise any purported rights with respect to the New Data.

8.1.3.4. Obligations on Termination. Upon expiration of the Service Term, you will immediately: (i) discontinue

use of the New Data; (ii) return to F5, or at F5’s written request destroy, all tangible materials containing,

reflecting, or incorporating the New Data or any Documentation pertaining thereto; (iii) permanently

erase all electronic versions of the foregoing materials from all systems you directly or indirectly control;

and (iv) execute and deliver to F5, upon request, written certification of your compliance with the

foregoing.

8.1.4. Restrictions. Customer will not (and will not authorize or permit any third party to): (a) attempt to reverse