HPE Cloud Volumes

Customer Subscription Agreement

Effective October 8, 2020

This Customer Subscription Agreement (the "Agreement") is made and entered into by and between Hewlett Packard Enterprise Company ("HPE"), and you (if you are entering into this Agreement as an individual) or the business entity you represent ("Customer"). If you are entering into this Agreement on behalf of an entity, you represent and warrant that you have the legal authority to bind that entity and that entity will be deemed the Customer for purposes of this Agreement.

Customer desires to access and use HPE’s cloud based data storage and management services (the "Services"), and HPE desires to provide the Services to Customer subject to the terms and conditions of this Agreement. This Agreement is effective on the earlier of the date Customer clicks the "I Accept" button, when Customer submits its first order to HPE, or when Customer commences using the Services (the “Effective Date”).

This Agreement consists of the terms and conditions of this Customer Subscription Agreement and all applicable policies, procedures and/or guidelines related to the Services that are posted on the HPE website at www.hpe.com/storage/cloudvolumes (the "Website") from time to time.

1)    Services

a)    To access and use the Services, Customer will be required to create an account associated with a valid e-mail address. Customer may create only one account per email address, although Customer may establish one or more logins associated with the account. Customer is responsible for all activities that occur under Customer’s account, regardless of whether the activities are undertaken by Customer, its employees, or a third party (including contractors or agents) and HPE and its affiliates are not responsible for unauthorized access to Customer’s account. Customer will contact HPE immediately if it believes an unauthorized third party may be using Customer’s account or if Customer’s account information is lost or stolen. Customer may terminate Customer’s account and this Agreement at any time in accordance with Section 15.

b)    Subject to the terms and conditions of this Agreement, during the term of this Agreement, HPE will provide Customer access to the Services described in the applicable order submitted through the Website. Each and all orders Customer submits to HPE through the Website are deemed to be Customer’s consent to the terms of this Agreement and constitute Customer’s binding selection of the type of Services to be provided and all associated specifications, prices, policies and documentation related to the delivery of the Services.

2)    Use of the Services

a)    Customer may use the Services to store, process, and retrieve all content (including but not limited text, audio, video, and images), data, software, applications, technology or other information provided to HPE by, or on behalf of, Customer or Customer’s end users through use of the Services ("Customer Data"). Diagnostic Data and Customer Account Information (both as defined below) are not Customer Data. Customer acknowledges and agrees that HPE will not be responsible in any manner, and Customer is solely responsible, for the development, operation, and maintenance of all Customer Data. Personal Data and Customer Personal Data is defined in Schedule 1 - HPE Data Privacy and Security Agreement Schedule.

b)    Customer may not (and may not permit anyone else to): (a) copy, modify, create derivative works of, reverse engineer, decompile or otherwise attempt to extract the source code for the Services or any part thereof; (b) attempt to hack, disable or circumvent any security mechanisms used by the Services; (c) access or use the Services in a way intended to avoid incurring fees or exceeding usage limits or quotas; or (d) resell or sublicense the Services.

c)     HPE welcomes feedback, questions, comments, and suggestions for improvements to the Services (“Feedback”). Customer grants to HPE a non-exclusive, worldwide, perpetual, irrevocable, fully-paid, royalty-free, sublicensable and transferable license under any and all intellectual property rights that Customer owns or controls to use, copy, modify, create derivative works based upon and otherwise exploit the Feedback for any purpose.

d)    Customer acknowledges and agrees that the Services transmit to HPE and/or HPE may collect and use certain information and diagnostic data in connection with Customer’s use of the Services, including without limitation system performance, capacity and memory usage, performance metrics, error and information messages, and Service usage data related to Customer’s account, such as resource identifiers, metadata tags, security and access roles, rules, usage policies, permissions, usage statistics and analytics (“Diagnostic Data”).

e)    Customer acknowledges and agrees that HPE and HPE’s authorized third party payment processor will also collect identifying information about Customer, including but not limited to Customer name, contact information and billing information, to establish and maintain Customer’s account (“Business Contact Data”).

f)      HPE will not disclose Diagnostic Data to any third party (other than HPE affiliates, contractors and service providers working on HPE’s behalf) except in aggregated, anonymized form that does not link such Diagnostic Data to Customer.

3)    Pre-Release Materials

a)    HPE may make available to Customer pre-release, evaluation and/or trial services and/or software (“Pre-Release Materials”).  Customer agrees the Pre-Release Materials: (i) are not to be used in a production environment; (ii) may or may not ever be made generally available to HPE customers as part of an update or otherwise; (iii) are not under warranty or support; (iv) are not at the level of compatibility, performance and/or scalability of the Services as the case may be; (v) may not operate correctly; and, (vi) may be subject to additional terms and conditions that are specific to such Pre-Release Materials.  Customer agrees to notify HPE of any bugs, errors or problems with respect to Pre-Release Materials. Upon termination or expiration of any evaluation period, Customer will either convert to a paid contract covering the use of the Services or immediately terminate use of and/or remove the Pre-Release Materials and Services.

4)    Modifications

a)    Customer agrees HPE may modify any of the terms and conditions of this Agreement (including any policies), the Support Schedule and the HPE Data Privacy and Security Agreement Schedule (as set forth below) at any time and in its sole discretion, by posting a change notice or a new agreement on the Website. If any modification is unacceptable to Customer, Customer may stop using the Services. Customer’s continued use of the Services following the posting of a change notice or revision to this Agreement on the Website will constitute Customer's binding acceptance of the change.

b)    Customer will comply with HPE's policies and guidelines applicable to the use of the Services, as posted on the Website from time to time. Customer further acknowledges and agrees that HPE may change, discontinue, deprecate, or remove features or functionality of the Services from time to time.  Without limiting the foregoing, HPE will notify Customer in advance of any material change to or discontinuation of the Service.

5)    Fees, Billing and Payment

a)    Customer will pay HPE the applicable fees and charges for use of the Services as more specifically described on the Website (which may include through monthly credit card auto-deduction), administered by HPE’s authorized third party payment processor. HPE may allow Customer a pre-pay option.  HPE may provide a separate bonus amount to Customer based on the amount of prepaid services purchased by Customer. If applicable, fees and charges will be applied towards any bonus credits first.  Once the bonus credit amount has been completely extinguished, fees and charges will be applied against any prepaid amount, if applicable. Both prepaid amounts and any bonus amounts expire thirteen (13) months from the purchase date. If applicable, upon renewal, previous unused prepaid amounts may be extended through the renewal expiration date.  Unused bonus amounts will not extend beyond their thirteen (13) month expiration date for any reason. All amounts payable under this Agreement will be made without setoff or counterclaim, and without any deduction or withholding. Fees and charges for any new Service or new features of the Services will be effective when HPE posts updated fees and charges on the Website, unless HPE expressly states otherwise in a notice. HPE may increase or add new fees and charges for any existing Services by giving Customer at least fifteen (15) days' advance notice. If the change is unacceptable to Customer, Customer may stop use of the Services.  If Customer does not cease its use within fifteen (15) days, the new fees and charges will be deemed accepted by Customer.

b)    Customer is responsible for any taxes and duties including VAT and applicable sales tax (other than HPE's income tax), and Customer will pay HPE the fees without any reduction or withholding for taxes. If HPE is obligated to collect or pay any taxes, the taxes will be invoiced to Customer, unless Customer provides HPE with a valid tax exemption certificate authorized by the appropriate taxing authority.

c)     HPE calculates and bills fees and charges monthly in arrears, based on the greater of the stated minimum fee for the Service (as specified on the Website) or Customer’s actual usage of the Services in the prior month. HPE may bill Customer more frequently for fees accrued if HPE suspects Customer’s account is at risk of non-payment. Customer usage charge will be calculated daily, based on Customer’s maximum allocation of resources for that day, and such charges shall be aggregated and billed on a monthly basis. Customer will be responsible for all fees and will pay all fees in U.S. Dollars or in such other currency as agreed to in writing by the parties. Customer will pay all fees in accordance with the payment terms as more specifically described on the Website. Late payments hereunder will accrue interest at a rate of one and one-half percent (1 1/2 %) per month, or the highest rate allowed by applicable law, whichever is lower. HPE reserves the right to have Customer complete a credit application to determine Customer’s creditworthiness as a condition of receiving further Services. If HPE initiates a collection process to recover fees due and payable hereunder, Customer will pay all costs associated with such collection efforts.  Without limiting the foregoing, Customer is solely responsible for any third party charges that may be associated with and external to the Service, including but not limited to Customer’s compute resources for the applications accessing the Services and data egress usage from other cloud providers.

6)    Support

a)    HPE will provide support for the Services in accordance with the support guidelines and/or documentation HPE makes available through the Website and the applicable service levels set forth in the Support Schedule attached as Schedule 2 hereto, which may be revised and updated by HPE from time to time. The Support Schedule provides for certain service level credits for downtime. Customer agrees that such credits are and will be Customer’s sole and exclusive remedy under this Agreement and the Support Schedule.

7)    Confidential Information

a)    Certain information regarding the Services and HPE’s business, including technical, marketing, financial, employee, planning, and other confidential or proprietary information, is considered HPE’s “Confidential Information”. In the event Customer does not have a current non-disclosure agreement in place with HPE that protects HPE Confidential Information, then Customer will protect the Confidential Information from unauthorized dissemination and use with the same degree of care Customer uses to protect its own like information and, in any event, will use no less than a reasonable degree of care in protecting such Confidential Information.  Customer will use the Confidential Information only for those purposes expressly authorized in this Agreement. Customer will not disclose to third parties the Confidential Information without the prior written consent of HPE.

8)    Ownership

a)    Customer does not acquire any right, title or interest in or to any Service, HPE Confidential Information, or other intellectual property owned or supplied by HPE. Except for the limited licenses granted hereunder, HPE reserves all rights not expressly granted and no license for such additional rights is implied or may be assumed.

b)    To the extent Customer discloses, uses, displays, performs, copies, distributes, creates derivative works of, makes, sells, or imports any Customer or third party products, data, or Customer Data using the Services, (i) Customer make the warranties and representations in Section 9 below; and (ii) HPE does not acquire any right, title or interest therein other than the limited right to operate such with the Services for Customer benefit.

9)    Warranties, Representations, Agreements

a)    Customer represents and warrants that (i) Customer has the full corporate right, power and authority to enter into this Agreement, (ii) the execution of this Agreement by and the performance of its obligations and duties hereunder do not and will not violate any agreement to which Customer is party or by which Customer is bound, and (iii) when executed and delivered, this Agreement will constitute the legal, valid and binding obligation of Customer, in accordance with its terms.

b)    In connection with the subject matter of this Agreement, Customer agrees to comply with all applicable laws and regulations, including export laws and data transfer laws.

c)     Customer is solely responsible for the development, content, operation, maintenance, and use of the Customer Data, including, without limitation: (i) the technical operation of Customer Data; (ii) compliance of the Customer Data with this Agreement, the HPE Privacy Statement, and all applicable laws or regulations; (iii) any claims relating to the Customer Data; and (iv) properly handling and processing notices sent to Customer by any person claiming that the Customer Data violates such person's rights, including notices pursuant to the Digital Millennium Copyright Act.

d)    Customer is responsible for properly configuring and using the Services and taking its own steps to maintain appropriate security, protection and backup of the Customer Data, which may include the use of encryption technology to protect the Customer Data from unauthorized access and routine archiving of the Customer Data. HPE does not encrypt Customer Data-at-rest. HPE recommends Customer encrypt all Customer Data within the Services. HPE’s log-in credentials and private keys generated by the Services are for Customer's internal use only and Customer may not sell, transfer or sublicense them to any other entity or person, except that Customer may disclose its private key to its agents and subcontractors performing work on its behalf.

e)    Customer will be deemed to have taken any action that Customer permits, assists or facilitates any person or entity to take related to this Agreement, the Customer Data or use of the Services. Customer is responsible for its End Users' use of the Customer Data and the Services. "End User" means any individual or entity that directly or indirectly through another user: (a) accesses or uses the Customer Data; or (b) otherwise accesses or uses the Services under Customer's account. Customer will ensure that all End Users comply with Customer's obligations under this Agreement and that the terms of Customer's agreement with each End User are consistent with this Agreement. If Customer becomes aware of any violation of its obligations under this Agreement by an End User, Customer will immediately terminate such End User's access to the Customer Data and the Services.

f)      Customer is responsible for providing customer service (if any) to End Users. HPE does not provide any support or services to End Users unless HPE has a separate agreement with Customer or an End User obligating HPE to provide such support or services.

g)    Customer is responsible for defining and maintaining its own individualized business continuity and disaster recovery plans should the Services become unavailable due to a disruptive event, such as a physical, social or financial disaster.  HPE will use commercially reasonable efforts to prevent disruption to Services and to restore Services as soon as possible. HPE does not guarantee continuous availability of the Services in the event of such disruption or disaster.

h)    Customer is responsible for implementing appropriate backup procedures for all Customer Data within the Services.


10)  Limitations of Liability


11)  Indemnification

a)    Customer will defend, indemnify, and hold harmless HPE, HPE’s affiliates and licensors, and each of their respective employees, officers, directors, and representatives from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to any third party claim concerning: (a) Customer or any End Users’ use of the Services (including any activities under Customer account and use by Customer employees and personnel); (b) breach of this Agreement or violation of applicable law by Customer or any End User; (c)  Customer Data or the combination of Customer Data with other applications, content or processes, including any claim involving alleged infringement or misappropriation of third-party rights by Customer Data or by the use, development, design, production, advertising or marketing of Customer Data; or (d) a dispute between Customer and any End User. If HPE or HPE’s affiliates are obligated to respond to a third party subpoena or other compulsory legal order or process described above, Customer will also reimburse HPE for reasonable attorneys’ fees, as well as HPE’s employees’ and contractors’ time and materials spent responding to the third party subpoena or other compulsory legal order or process at HPE’s then-current hourly rates.

b)    HPE will promptly notify Customer of any claim subject to Section 11) a), but HPE’s failure to promptly notify Customer will only affect Customer’s obligations under Section 11) a) to the extent that HPE’s failure prejudices Customer’s ability to defend the claim. Customer may: (a) use counsel of Customer’s own choosing (subject to HPE’s written consent) to defend against any claim; and (b) settle the claim, provided that Customer obtains HPE’s prior written consent before entering into any settlement. HPE may also assume control of the defense and settlement of the claim at any time.

12)  Acceptable Use

a)    Customer will comply at all times with the Website Terms of Use, as modified by HPE from time to time.  Customer’s failure to comply with the Website Terms of Use will be deemed a material breach hereunder and HPE may terminate or suspend access to the Services based on any such failure at its sole discretion.

b)    HPE reserves the right, but does not assume the obligation, to investigate any violation of Website Terms of Use or misuse of the Services. Without limiting the foregoing or any other remedies available in the Agreement, if HPE reasonably believes that any Customer Data violates the law, infringes or misappropriates the rights of any third party or otherwise violates a material term of the Agreement (including the documentation, this Agreement, or the Website Terms of Use (“Prohibited Content”), HPE will notify Customer of the Prohibited Content and may request such content be removed from the Services or access to it be disabled. If Customer does not remove or disable access to the Prohibited Content within two (2) business days of HPE’s notice, HPE may remove or disable access to the Prohibited Content or suspend the Services to the extent HPE is not able to remove or disable access to the Prohibited Content. Notwithstanding the foregoing, HPE may remove or disable access to any Prohibited Content without prior notice in connection with illegal content, where the content may disrupt or threaten the Services, pursuant to the Digital Millennium Copyright Act or as required to comply with law or any judicial, regulatory or other governmental order or request. In the event that HPE removes content without prior notice, HPE will provide prompt notice to Customer unless prohibited by law.

c)     Customer must comply with the current technical documentation applicable to the Services (including the applicable developer guides) as posted by HPE and updated by HPE from time to time on the Website. In addition, if Customer creates technology that works with a Service, Customer must comply with the current technical documentation applicable to that Service (including the applicable developer guides) as posted by HPE and updated by HPE from time to time on the Website.

d)    Customer will ensure that all information Customer provides to HPE via the Website (for instance, information provided in connection with Customer’s registration for the Services, requests for increased usage limits, etc.) is accurate, complete and not misleading.

e)    Customer agrees to provide information and/or other materials as reasonably requested by HPE to verify Customer's compliance with this Agreement.  HPE may monitor the external interfaces (e.g., ports) of Customer Data to verify compliance with the Agreement.  Customer will not block or interfere with HPE’s monitoring, but Customer may use encryption technology or firewalls to keep Customer’s Customer Data confidential. 

13)  Security and Data Privacy.

a)    Customer may specify the HPE regions in which Customer Data will be stored. Customer consents to the transfer to and storage of Customer Data in the HPE regions Customer selects. HPE, HPE affiliates and third party service providers will not access or use Customer Data except as necessary to maintain or provide the Services, or as necessary to comply with the law or a binding order of a governmental body. HPE and Customer agree to comply with the attached Schedule 1 - HPE Data Privacy and Security Agreement Schedule - HPE Cloud Volume Services. HPE recommends Customer notify HPE by emailing CV-PHI@hpe.com before introducing any sensitive data (including protected health information) within the Services.

b)    HPE will receive Diagnostic Data as a result of Customer’s use of the Services.  HPE may use and disclose Diagnostic Data at HPE’s discretion for any purpose, except where HPE is required to do otherwise under applicable law.  HPE may disclose Diagnostic Data to HPE affiliates, contractors and service providers who are working on HPE’s behalf to maintain and provide the Services. HPE also may use or disclose Diagnostic Data: (i) where it is in an aggregated, anonymized form that does not link such to a particular customer; or (ii) as HPE believes it to be necessary or appropriate (a) under applicable law, which may include laws outside Customer’s country of residence; (b) to respond to a governmental body or requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside Customer’s country of residence; (c) to enforce HPE  terms and conditions; and (d) to protect HPE  rights, privacy, safety or property, and/or that of HPE  affiliates, Customer or others. “Diagnostic Data” are certain information and diagnostic data in connection with Customer’s use of the Services, including without limitation system performance, capacity and memory usage, performance metrics, and error and information messages, and Service usage data related to Customer’s account, such as resource identifiers, metadata tags, security and access roles, rules, usage policies, permissions, usage statistics and analytics that the Services transmit to HPE and/or HPE may collect and use.

c)     HPE may use affiliates and third party service providers to perform the Services.  Customer understands, agrees and authorizes HPE to share access to Customer Data and Diagnostic Data with such third parties to maintain and provide the Services. Upon request, HPE will provide Customer with a list of current service providers performing hereunder.

14)  Third Party Content

a)    Third party content, such as software applications provided by third parties, may be made available directly to you by other companies or individuals under separate terms and conditions, including separate fees and charges. Because HPE may not have tested or screened the third party content, Customer use of any third party content is at Customer’s sole risk.

15)  Term and Termination

a)    This Agreement will commence on the Effective Date and continue until terminated in accordance with this Section 15.

b)    HPE may suspend Customer’s or any End User’s right to access or use any portion or all of the Services immediately upon notice to Customer if HPE determines:  (a) Customer’s or an End User’s use of or registration for the Services (i) poses a security risk to the Services or any third party, (ii) may adversely impact the Services or the systems or data of any other HPE customer, (iii) may subject HPE, HPE’s affiliates, or any third party to liability, or (iv) may be fraudulent;  (b) Customer is, or any End User is, in breach of this Agreement, including if Customer is delinquent on Customer’s payment obligations for more than fifteen (15) days; or  (c) Customer has ceased to operate in the ordinary course, made an assignment for the benefit of creditors or similar disposition of Customer assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution or similar proceeding.

c)     If HPE suspends Customer’s right to access or use any portion or all of the Services:  (a) Customer remains responsible for all fees and charges Customer has incurred through the date of suspension;  (b) Customer remains responsible for any applicable fees and charges for any Services to which Customer continues to have access, as well as applicable data storage fees and charges, and fees and charges for in-process tasks completed after the date of suspension; (c) Customer will not be entitled to any service credits under the Support Schedule for any period of suspension; and (d) HPE will not erase any Customer Data as a result of Customer’s suspension, except as specified elsewhere in this Agreement.

d)    HPE’s right to suspend Customer’s or any End User’s right to access or use the Services is in addition to HPE’s right to terminate this Agreement pursuant to Sections 15) e) and f).

e)    Either party may terminate this Agreement for convenience by providing the other party thirty (30) days advanced written notice.

f)      Either party may terminate this Agreement for cause upon thirty (30) days advance written notice to the other party if there is any material default or breach of this Agreement by the other party, if the defaulting party has not cured the material breach within the thirty (30) day notice period.

g)    HPE reserves the right to terminate this Agreement (and/or Customer’s account) or Customer access to the Service or any APIs and/or Software provided under this Agreement, and to delete Customer Data: (i) due to a suspension under Section 15) b) above or termination for cause under Section 15) f); or (ii) immediately if HPE is compelled by court order or otherwise discover any use of the Services or APIs and/or Software by Customer that in HPE's reasonable discretion presents a security risk or that might be the subject of a legal claim or dispute. Upon any termination or notice of any discontinuance, all of Customer’s rights under the Agreement immediately terminate, Customer remains responsible for all fees and charges incurred through date of termination, and Customer agrees to return (or destroy per HPE’s instruction) all HPE Confidential Information in Customer’s possession. 

h)    Unless HPE terminates all or a portion of the Services or the Agreement for cause, Customer will have an opportunity, upon Customer request, to remove all Customer Data from the Services for a period of thirty (30) days of the termination date of the Customer’s account (the "Data Removal Period"). HPE may, at HPE's sole option, delete any and all Customer Data from HPE's cloud servers, website or any other data storage systems, including without limitation any and all backup copies thereof post-Data Removal Period. HPE is not responsible for (i) any Customer deletion of Customer Data (at any time) nor (ii) deletion, destruction, damage, loss or failure by Customer to backup any Customer Data removed by HPE post Data Removal Period.

16)  Survival

a)    The following sections of this Agreement and each party’s rights and obligations thereunder will survive any termination or expiration of the Agreement:  Sections 7-18.  The parties' respective obligations of confidentiality will survive the expiration, termination or rescission of this Agreement and continue in full force and effect for one (1) year thereafter.

17)  Governing Law/Disputes

a)    This Agreement and any action related thereto will be governed by the laws of the State of California without regard to its conflict of law rules. The United Nations Convention for the International Sale of Goods does not apply to this Agreement. 

18)  Miscellaneous Provisions

a)    Customer will not assign this Agreement, or delegate, sublicense or transfer any of Customer’s rights under this Agreement, without HPE’s prior written consent.  Any assignment in violation of this Section 18) a) will be void.  This Agreement will bind and inure to the benefit of each party's successors and permitted assigns.

b)    Neither party will be deemed to be an agent of the other party and the relationship of the parties will be that of independent contractors. Neither party will have any right or authority to assume any obligations, or to make any representations or warranties, whether express or implied, on behalf of the other party, or to bind the other party in any matter whatsoever.

c)     HPE may provide any notice to Customer under this Agreement by: (i) posting a notice on the Website; or (ii) sending a message to the email address then associated with Customer’s account. Notices HPE provide by posting on the Website will be effective upon posting and notices HPE provide by email will be effective when HPE send the email. It is Customer’s responsibility to keep Customer’s email address current. Customer will be deemed to have received any email sent to the email address then associated with Customer account when HPE sends the email, whether or not Customer actually receives the email.

d)    Customer may provide HPE notice under this Agreement by contacting HPE by personal delivery, overnight courier or registered or certified mail to HPE, Legal Dept., 6280 America Center Drive, San Jose, California 95002, USA. HPE may update the address for notices to HPE by posting a notice on the Website. Notices provided by personal delivery will be effective immediately. Notices provided registered or certified mail will be effective three (3) business days after they are sent.

e)    All communications and notices to be made or given pursuant to this Agreement must be in the English language.

f)      This Agreement, together with all orders, represents the sole, exclusive and integrated mutual statement of understanding of the parties concerning the Services to be provided hereunder, and supersedes and cancels all previous and contemporaneous written and oral agreements and communications between the parties relating to the subject matter of this Agreement.  HPE will not be bound by any term, condition or other provision which is different from, or in addition to the provisions of this Agreement and which is submitted by Customer in any order, receipt, acceptance, confirmation, correspondence or other document.

g)    If any provision of this Agreement, or a portion thereof, will be adjudged by a court of competent jurisdiction to be unenforceable or invalid, that portion will be eliminated or limited to the minimum extent necessary so that this Agreement will remain in full force and effect and enforceable.

h)    Except for performance of a payment obligation, neither party will be liable under this Agreement for delays, failures to perform, damages, losses or destruction, or malfunction of any equipment, or any consequence thereof, caused or occasioned by, or due to fire, earthquake, flood, water, the elements, labor disputes or shortages, utility curtailments, power failures, explosions, civil disturbances, acts of war or terror, governmental actions, shortages of equipment or supplies, unavailability of transportation, acts or omissions of third parties, or any other cause beyond its reasonable control. If the force majeure continues for more than thirty (30) calendar days, then either party may terminate the Agreement for convenience upon written notice to the other party.

i)      Customer will, in connection with Customer's use of the Services, comply with all applicable export and re-export control laws and regulations, including the Export Administration Regulations, the International Traffic in Arms Regulations, and country-specific economic sanctions programs implemented by the Office of Foreign Assets Control.

j)      HPE may use Customer’s name and logo in HPE’s marketing materials, website(s) and communications, subject to Customer’s then-current trademark usage guidelines, for the purpose of indicating Customer is a user of the Services.




HPE Data Privacy and Security Agreement Schedule

HPE Cloud Volume Services

This Data Privacy and Security Agreement ("DPSA") Schedule governs the privacy and security of Personal Data by HPE in connection with the Services on Customer’s behalf and is made a part of the Agreement.

1.     This DPSA forms part of the Agreement. To the extent there are any conflicts between the terms of this DPSA and the Agreement, the DPSA shall prevail.

2.     Definitions:

2.1. “Personal Data” or “Customer Personal Data” means any (Customer) information relating to an identified or identifiable natural persons or as otherwise defined in applicable Privacy Laws that Customer will provide to HPE for Processing on Customer's (or the applicable Controller's) behalf, which may include protected health information covered by Health Insurance Portability and Accountability Act 1996 (“HIPAA”).

2.2. “Binding Corporate Rules – Processors or BCR-P” means the Intercompany Agreement and the applicable policies and procedures which form HPE's Binding Corporate Rules for Processors as they apply to the Customer and as developed, amended or updated by HPE from time to time in accordance with the applicable Working Documents adopted by the Article 29 Working Party (and subsequently the European Data Protection Board). A copy of the documentation comprising the BCR-P, which is incorporated by reference and is an integral part of this DPSA, will be made available by HPE upon a Customer’s written request.

2.3. “Business Contact Data” means contact information of Customer's representatives for invoicing, billing, and other business inquiries, (ii) information required for payment and its processing, (iii) information on Customer's usage of Services, and (iv) other information that HPE collects and needs to communicate with Customer.

2.4. “Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data; where the purposes and means of Processing are determined by applicable Privacy Law, the Controller or criteria for the Controller’s nomination will be as designated by applicable Privacy Law.

2.5. “General Data Protection Regulations or GDPR” means Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (and its implementing legislation), with effect from 25th May 2018

2.6. “HIPAA” means the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss 1320d-1320d-8.

2.7. “Intercompany Agreement” means the intercompany agreement on the Processing and Transfer of HPE Customer owned Personal Data entered into by HPE companies.

2.8. “Privacy Laws” mean all applicable laws and regulations relating to the Processing of Personal Data and privacy that may exist in the relevant jurisdictions, including HIPAA and the GDPR.

2.9. “Processor” means any natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of a Controller or on the instruction of another Processor acting on behalf of a Controller.

2.10.              “Process,” “Processing,” or “Processed” means an operation or set of operations performed on or with Personal Data whether or not by automatic means (including, without limitation, accessing, collecting, recording, organizing, retaining, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing, and destroying Personal Data) and any equivalent definitions in Privacy Law to the extent that such definition should modify this definition.

2.11.              "Relevant Country" means a third country outside of the EEA, Switzerland and the UK (once the UK has ceased to be a member state of the EU) which has not been given an adequacy finding pursuant to Article 45 of the GDPR.

2.12.              “Special Category Data” means Customer Personal Data which relates to an individual's racial/ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, biometric data (if used for the purpose of uniquely identifying an individual) or genetic data.

3.     Appointment and Instructions:

3.1.   HPE shall Process Customer Personal Data as necessary to provide the Services and to meet HPE's obligations under this DPSA, the Agreement, and applicable Privacy Law as a service provider and Processor of Customer Personal Data. Details of the Processing including the subject matter, purpose and duration of the Processing the types of personal data and categories of data to whom the data are set out in Exhibit A.

3.2.   HPE shall Process Customer Personal Data in accordance with Customer’s instructions as set out in this DPSA, the Agreement, or other documented instructions between HPE and Customer. Potential costs and charges associated with such additional instructions shall be agreed pursuant to the terms of the Agreement.

3.3.   HPE may Process Customer Personal Data other than on the instructions of Customer if it is required under law applicable to HPE.  In this situation, HPE shall inform Customer of such a requirement before HPE Processes Customer Personal Data unless the law prohibits this on important grounds of public interest.  If HPE is unable to comply with Customer’s instructions or this DPSA due to changes in legislation or, if HPE believes (without having to conduct a comprehensive legal analysis) that any instruction from Customer will violate applicable law or for any other reason, HPE shall promptly notify Customer in writing.

3.4.   HPE acknowledges that HPE has no right, title, or interest in Customer Personal Data (including all intellectual property or proprietary information contained therein). HPE may not sell, rent, or lease Customer Personal Data to anyone.

3.5.   If Customer uses the Services to Process any categories of data not expressly covered by this DPSA, Customer acts at its own risk and HPE shall not be responsible for any potential compliance deficits related to such use.

4.     Compliance with laws

4.1.   The Parties shall at all times comply with their respective obligations under this DPSA and Privacy Laws that apply to their respective processing of Personal Data.  In addition, if HPE interacts with Protected Health Information as defined under the Health Insurance Privacy and Portability Act, the parties agree to comply with the terms of the Business Associate Agreement found at www.hpe.com/info/customer-privacy.html.

4.2.   HPE shall also comply with all applicable laws and HPE’s privacy policy with respect to the Processing of Business Contact Data and use Business Contact Data only for legitimate business purposes, including, without limitation, invoicing, collections, service usage monitoring and optimization, service improvements, maintenance, support, communications relating to contract renewals (directly or through a subprocessor acting on HPE’s behalf or an HPE approved reseller for contract renewal purposes), and information about new and additional services.

4.3.   Where HPE discloses its personnel’s personal data to Customer or HPE personnel provide their personal data directly to Customer, which Customer Processes to manage its use of the Services, Customer shall Process that data in accordance with its privacy policies and applicable Privacy Laws. Such disclosures shall be made by HPE only where lawful for the purposes of contract management, service management, or Customer’s reasonable and lawful background screening verification or security purposes.

5.     Security

5.1.   HPE shall implement and maintain the physical, technical, and organizational security measures set out in Exhibit A, as may be supplemented or modified in the applicable transaction document, to protect Customer Personal Data and Business Contact Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, or access. 

5.2.   Customer acknowledges that HPE may change the security measures through the adoption of new or enhanced security technologies and authorises HPE to make such changes provided that they do not diminish the level of protection. HPE shall make information about the most up to date security measures applicable to the Services available to Customer upon request.

6.     Subprocessing and Location of Processing

6.1.   Customer authorises HPE to engage affiliated and unaffiliated subprocessors (“Subprocessors”) to perform some or all of its obligations under the Agreement. Only where necessary to provide the Services, HPE will provide its Subprocessors with access to Customer Personal Data. HPE will provide its affiliates and subcontractors with access to Customer Personal Data. HPE shall make details of the identity of its affiliated and third party subcontractors and the processing locations available to Customer via a website easily accessible to Customer.

6.2.   The Subprocessors applicable to the Services and location of processing can be found at www.hpe.com/info/customer-privacy.html and are deemed as approved by Customer. Customer will subscribe to HPE’s notification tool on the above website, and in the event of changes to approved Subprocessors, HPE will notify Customer via the notice subscription tool. Customer shall have ten (10) business days from receipt of the information on Subprocessors to object to the appointment or replacement of a Subprocessor, and the parties shall use all reasonable endeavours to resolve Customer’s objection. If the parties fail to resolve Customer’s objection within a reasonable period of time, the matter shall be addressed pursuant to the dispute resolution procedure in the Agreement. In case HPE and customer fail to agree on an amicable resolution to the proposed subprocessor change, HPE shall have a right to terminate the contract without further obligations. 

6.3.   HPE shall conduct appropriate due diligence of its Subprocessors and execute valid, enforceable, and written contracts with Subprocessors requiring the Subprocessor to abide by terms no less protective than those in this DPSA regarding the Processing and protection of Customer Personal Data (including the EU Model Contract terms relating to data importers in the case of an onward transfer of EU, EEA, or Swiss Personal Data to a non-adequate country).

6.4.   HPE remains responsible for the acts and omissions of the affiliates and Subprocessors it engages to provide the Services to Customers giving rise to a breach of this DPSA as if they were its own acts or omissions.

7.     Audit and Assurance

7.1.   HPE shall arrange for audits of HPE's data Processing and protection practices to confirm compliance with applicable Privacy Law by reputable third party auditors and provide Customer with a report summary and additional information on request.

7.2.   Customer shall have the right to conduct additional audits of HPE’s compliance with its obligations under this DPSA in accordance with the Agreement. The audit rights are generally exercised in consultation with HPE. HPE is obliged to assist Customer in such audits and any audits of the competent authorities. These audits must be carried out in consideration of the business processes and HPE's need for security and confidentiality.

7.3.   Certain information about HPE’s security standards and practices are sensitive confidential information which will not be disclosed by HPE to Customer.  Upon request, HPE agrees to respond, no more than once per year, to a reasonable information security questionnaire concerning security practices specific to the Services provided hereunder.

7.4.   On Customer’s request, HPE shall within a reasonable timeframe make appropriate information available to Customer to demonstrate its compliance with applicable Privacy Law, save where that information is readily available to Customer direct through its use of the Services. 

8.     Providing Customer Assistance

8.1.   At Customer's request HPE shall cooperate with Customer and provide Customer with assistance necessary to facilitate the Processing of Customer Personal Data in compliance with Privacy Laws applicable to Customer in relation to HPE Services, including by way of example:

8.1.1. assist Customer by implementing appropriate and reasonable technical and organizational measures, insofar as this is possible, to assist with Customer's obligation to respond to requests from individuals seeking to exercise their rights under the Privacy Laws applicable to Customer;

8.1.2. provide reasonable assistance to Customer in Customer's assessment and implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the Processing and the nature of Customer Personal Data;

8.1.3. the notification of Security Incidents pursuant to Exhibit A;

8.1.4. provide reasonable assistance to Customer in carrying out a privacy impact assessment.

8.2.   If Customer requests cooperation or assistance pursuant to this Section, Customer shall notify HPE in writing of the requirements and formulate Customer's instructions. HPE shall respond within a reasonable period of time and provide Customer with approximate time and fee estimates for the implementation of any changes necessary to accommodate Customer's compliance needs. To the extent that compliance with this Section constitutes a change to the scope of the Services, the parties shall, acting reasonably, agree on appropriate change order.

9.     Data Return or Destruction Service

9.1.   Upon termination of the Agreement, HPE shall at the election of Customer return or delete Customer Personal Data and HPE shall not retain copies of Customer Personal Data unless otherwise agreed with Customer or where it is required to do so under applicable law, in which case HPE shall stop actively Processing the data and maintain the security and confidentiality of the data.

10.  International Transfers of EU Customer Personal Data

10.1.    The Customer acknowledges that as part of the Services the EU Customer Personal Data may be processed in or accessed from the US or another Relevant Country.

10.2.    Where this involves any HPE company based in a Relevant Country and the Customer is established in the EU/ EEA/Switzerland/UK the Customer wishes to rely on HPE's BCR-P in relation to the transfer of the EU Customer Personal Data to the Relevant Country in connection with the provision of the Services. Accordingly the parties have agreed that:

10.2.1.   HPE (and any other HPE company whom the Customer authorizes to Process EU Customer Personal Data pursuant to Clause 4 of this DPSA) may receive and/or transfer EU Customer Personal Data to the Relevant Country in accordance with the BCR-P; and

10.2.2.   the BCR-P shall be binding to the Customer by means of the third party rights set out in Clause 4.1 of the BCR-P which shall include the right to enforce the BCR-P against HPE  including judicial remedies and the right to receive compensation.

10.3.    Customer shall:

10.3.1.   ensure that if the transfer involves Special Category Data, that EU Data Subjects have been informed of the transfer, or will be informed before the transfer, that this Special Category Data could be transmitted to a Relevant Country; and

10.3.2.   inform EU Data Subjects regarding the existence of Processors outside of the EU/EEA/Switzerland/UK and of Customer's reliance on the BCR-P as required by Privacy Laws and shall make available to EU Data Subjects upon request a link to HPE's BCR Rights Notice at https://www.hpe.com/uk/en/privacy/binding-corporate-rules.html .


Exhibit A - Cloud Volume Services Data Processing

In this Exhibit, HPE describes the terms specific to Cloud Volume Services, including its commitment to technical and organizational security measures to protect Customer Personal Data.

HPE performs the following Personal Data Processing as part of Services

As part of providing customer access and use of HPE’s cloud based storage and management services, HPE may have access to data stored within Customer’s business applications through Customer’s use of the Cloud Volume Services.This data may include Customer Personal Data.


Type of Customer Personal Data Processed

The type of Personal Data Processed will depend on the data the Customer has stored through their use of the Cloud Volume Services and may include sensitive Personal Data.


Categories of Data Subjects

Any data subject whose Personal Data is stored by the Customer through use of the Cloud Volume Services including, without limitation, Customer’s clients, end users, employees, contractors, and temporary workers.


Duration of Processing

HPE shall process Customer Personal Data for the duration of the customer subscription agreement and any applicable transaction document(s).


Security Measures

HPE shall maintain the following information and physical security program for the protection of Customer Personal Data.





1.1.   HPE implements reasonable measures designed to help secure Customer Personal Data against accidental or unlawful loss, access or disclosure. HPE, HPE affiliates and third party service providers will only use Customer Data to maintain or provide the Cloud Volume Services.

1.2.   Customer may specify the HPE regions in which Customer Data will be stored. Customer consents to the transfer to and storage of Customer Data in the HPE regions Customer selects. HPE, HPE affiliates and third party service providers will not access or use Customer Data except as necessary to maintain or provide the Cloud Volume Services, or as necessary to comply with the law or a binding order of a governmental body.

1.3.   HPE will not (a) disclose Customer Data to any government or third party (other than HPE affiliates and service providers) or (b) store Customer Data in a region other than the HPE regions selected by Customer; except in each case as necessary to comply with the law or a binding order of a governmental body. Unless it would violate the law or a binding order of a governmental body, HPE will give Customer notice of any legal requirement or order referred to in this Section.

1.4.   HPE may use affiliates and third party service providers to perform the Services. Customer understands, agrees and authorizes HPE to share access to Customer Data with such third parties to maintain and provide the Services.

1.5.   HPE will provide Customer with a list of current service providers performing the Services in accordance with Section 6.2 of this Agreement.

1.6.   Computers and servers have reasonable up-to-date versions of system security software which may include host firewall, anti-virus protection, and up-to-date patches and virus definitions.  Software is configured to scan for and promptly remove or fix identified findings.  HPE maintains logs of various components of the infrastructure and an intrusion detection system to monitor, detect, and report misuse patterns, suspicious activities, unauthorized users, and other actual and threatened security risks. 

1.7.   Employees and contractors are trained on HPE’s privacy and security policies and made aware of their responsibilities with regard to privacy and security practices. HPE employees and contractors are contractually bound to maintain the confidence of Customer Personal Data and comply with applicable HPE policies, standards, or requirements in relation to the Processing of Customer Personal Data. Failure to comply with those policies, standards, or requirements will be subject to investigation which may result in disciplinary action up to and including termination of employment or engagement by HPE.

1.8.   The processing of Customer’s payment card for Services payments shall comply with the Payment Card Industry Data Security Standard ("PCI DSS") version in effect at the time of signing the Customer Subscriber Agreement.  Future versions of PCI DSS shall be implemented in accordance with change control terms under that Agreement.

1.9.   In the event HPE confirms a security breach leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Personal Data (“Security Incident”), HPE will:

1.9.1.   without undue delay, notify Customer of the Security Incident.  HPE will provide Customer with updates on the status of the Security Incident until the matter has been remediated. The reports will include, without limitation, a description of the Security Incident, actions taken, and remediation plans.  If Customer becomes aware of a Security Incident that affects the Services, Customer shall promptly notify HPE of such and inform HPE of the scope of the Security Incident by reporting a security vulnerability here: https://www.hpe.com/us/en/services/security-vulnerability.html

1.9.2.   at the request and cost of the Customer, (i) provide reasonable assistance to the Customer in notifying a security breach to the supervisory authority competent under the Privacy Laws applicable to the Customer; and (ii) provide reasonable assistance to the Customer in communicating a data breach to data subjects in cases where the data breach is likely to result in a high risk to the rights and freedoms of individuals.




In the event of a conflict between the terms of this Support Appendix and the terms of the Agreement or other agreement with HPE governing Customer’s use of HPE’s Services, the terms and conditions of these Support Schedule apply, but only to the extent of such conflict. Capitalized terms used herein but not defined herein will have the meanings set forth in the Agreement.

1.1. Subject to Customer’s payment of the applicable purchase price for support, HPE Storage or its designated support partners will provide support to Customer for so long as Customer has subscribed to the Services.  In the event that Customer fails to pay for support in a timely basis, then without limiting HPE’s other rights and remedies, HPE reserves the right to immediately suspend or discontinue support. 

1.2  From time to time, HPE may apply upgrades, patches, bug fixes or other maintenance to the Services (Maintenance). HPE will use reasonable efforts to provide Customer with prior notice of any scheduled Maintenance (except for emergency Maintenance) and Customer agrees to use reasonable efforts to comply with any Maintenance requirements that HPE notifies Customer about.

1.3  HPE or its designated support partners will provide telephone and e-mail support for the use of the Services twenty-four hours a day, seven days a week.  Such support will be provided solely to the Customer individual(s) assigned to the volume or the Service account (as the case may be), and will consist of answering questions regarding the proper operation of the Services, providing troubleshooting assistance, and rendering general information, advice, and instructions in connection with the use of the Services. HPE will have no obligation to accept calls or messages directly from, or otherwise interact directly with, personnel other than those Customer individuals assigned to the volume and/or Service account. 

1.4  As a condition to all of HPE’s obligations under this Support Appendix, Customer will provide the following:

1.4.1            Customer will (a) provide HPE, at its request, with reasonable access to appropriate personnel, records, network resources, and maintenance logs; and (b) comply with HPE’s instructions regarding the use of the Services.

1.4.2            Customer agrees and acknowledges that HPE’s obligations under this Support Appendix is limited to the Services, and that HPE is not responsible for the operation and general maintenance of Customer’s computing environment. Customer will also be responsible for activities related to data backup, and Customer will ensure that all necessary data backup functions have been performed.  HPE will not be responsible for any losses or liabilities arising in connection with any failure of data backup processes.

1.4.3            Notwithstanding anything to the contrary in this Support Appendix, HPE will have no obligation to provide any support to Customer to the extent that such support arises from or relate to any conditions that are listed as a Service Commitment Exclusion (as defined below).

Standard Response Levels

The below describes the HPE support offerings that are available for purchase by Customer for the Services.  Such offerings are available subject to HPE’s then-current technical support policies, which may be updated by HPE from time to time. 

Type of Response

Response Time

Restrictions/Special Terms


·           P1*: Telephone response in 30 minutes or less with immediate escalation to Engineering, if required

·           P2: Response in 2 business hours or less

·           P3: Response in 8 business hours or less

·           P4: Next business day (Monday through Friday)

    *Customer must telephone Support to establish a P1 case

·   FAQ and documentation available through the Website

·    Available seven (7) days each week, twenty-four (24) hours each day - including holidays (telephone and email)

·   24 x 7 Engineering Escalation Support


P1: Not serving data or severe performance degradation, inability to create a new volume

P2: Performance degradation or intermittent software faults or network degradation

P3: Issue or defect causing minimal business impact

P4: Request for information; administrative requests, billing and credit inquiries

Uptime Service Level Agreement

This Uptime Service Level Agreement (“SLA”) applies separately to each account using the Services. Unless otherwise provided herein, this SLA is subject to the terms of the Agreement and capitalized terms will have the meaning specified in the Agreement. HPE reserves the right to change the terms of this SLA in accordance with the Agreement.

Service Commitment

HPE will use commercially reasonable efforts to make the Service available with a Monthly Uptime Percentage (as defined below) of at least 99.95%, during any monthly billing cycle (the “Service Commitment”). In the event HPE does not meet the Service Commitment, Customer will be eligible to receive a Service Credit as more fully described below.


·         “Monthly Uptime Percentage” is calculated by subtracting from 100% the percentage of minutes during the month in which the Service was Unavailable to Customer. Monthly Uptime Percentage measurements exclude downtime resulting directly or indirectly from any SLA Exclusion (defined below).

  • “Unavailable” and “Unavailability” means when all of your attached volumes perform zero read write IO, with pending IO in the queue.
  • “Service Credit” is a dollar credit, calculated as set forth below, that HPE may credit back to an eligible account.

Service Credits

Service Credits are calculated as a percentage of the total charges paid by you for the affected Service for the monthly billing cycle in which the Unavailability occurred in accordance with the schedule below.

 Monthly Uptime Percentage

Service Credit Percentage

Less than 99.95% but equal to or greater than 99.0%


Less than 99.0%


HPE will apply any Service Credits only against future Service payments otherwise due from Customer. At HPE’s discretion, HPE may issue the Service Credit to the credit card Customer used to pay for the billing cycle in which the Unavailability occurred. Service Credits will not entitle Customer to any refund or other payment from HPE. A Service Credit will be applicable and issued only if the credit amount for the applicable monthly billing cycle is greater than one US dollar ($1 USD). Service Credits may not be transferred or applied to any other account. Unless otherwise provided in the Agreement, Customer’s sole and exclusive remedy for any unavailability, non-performance, or other failure by HPE to provide the Service is the receipt of a Service Credit (if eligible) in accordance with the terms of this SLA.

Credit Request and Payment Procedures

To receive a Service Credit, Customer must submit a claim by opening a case with HPE support. To be eligible, the credit request must be received by HPE by the end of the second billing cycle after which the incident occurred and must include:

  1. the words “SLA Credit Request” in the subject line;
  2. the dates and times of each incident of Unavailability the Customer is claiming; and
  3. Customer documentation that corroborates Customer claimed outage (any confidential or sensitive information in these materials should be removed).

If the Monthly Uptime Percentage applicable to the month of such request is confirmed by HPE and is less than the applicable Service Commitment, then HPE will issue the Service Credit to Customer within one billing cycle following the month in which Customer request is confirmed by HPE. Customer failure to provide the request and other information as required above will disqualify Customer from receiving a Service Credit.

HPE SLA Exclusions

The Service Commitment does not apply to any unavailability, suspension or termination of the Service, or any other Service performance issues: (i) that result from a suspension of Services and/or support as described in the Agreement; (ii) caused by factors outside of our reasonable control, including any force majeure event or Internet access or related problems beyond the demarcation point of the Service; (iii) that result from any actions or inactions of Customer or any third party; (iv) that result from Customer equipment, software or other technology and/or third party equipment, software or other technology (other than third party equipment within our direct control); or (v) arising from our suspension and termination of Customer right to use Service in accordance with the Agreement (collectively, the “HPE SLA Exclusions”). If availability is impacted by factors other than those used in HPE’s calculation of the Unavailability, then HPE may issue a Service Credit considering such factors at HPE’s discretion.