Microsoft Online Subscription Agreement – US Government Cloud

Last updated: August 2017

This Microsoft Online Subscription Agreement is between the entity you represent, or, if you do not designate an entity in connection with a Subscription purchase or renewal, you individually (“you” or “your”), and Microsoft Corporation (“Microsoft”, “we”, “us”, or “our”). It consists of the terms and conditions below, as well as the Online Services Terms, the SLAs, and the Offer Details for your Subscription or renewal (together, the “agreement”). It is effective on the date we provide you with confirmation of your Subscription or the date on which your Subscription is renewed as applicable. Key terms are defined in Section 12.

1. Use of Online Services.

a. Right to use. We grant you the right to access and use the Online Services and to install and use the Software included with your Subscription, as further described in this agreement. We reserve all other rights.

b. Acceptable use. You may use the Product only in accordance with this agreement. You may not reverse engineer, decompile, disassemble, or work around technical limitations in the Product, except to the extent applicable law permits it despite these limitations. You may not disable, tamper with, or otherwise attempt to circumvent any billing mechanism that meters your use of the Online Services. You may not rent, lease, lend, resell, transfer, or host the Product, or any portion thereof, to or for third parties except as expressly permitted in this agreement or the Online Services Terms.

c. End Users. You control access by End Users, and you are responsible for their use of the Product in accordance with this agreement. For example, you will ensure End Users comply with the Acceptable Use Policy.

d. Customer Data. You are solely responsible for the content of all Customer Data. You will secure and maintain all rights in Customer Data necessary for us to provide the Online Services to you without violating the rights of any third party or otherwise obligating Microsoft to you or to any third party. Microsoft does not and will not assume any obligations with respect to Customer Data or to your use of the Product other than as expressly set forth in this agreement or as required by applicable law.

e. Responsibility for your accounts. You are responsible for maintaining the confidentiality of any non-public authentication credentials associated with your use of the Online Services. You must promptly notify our customer support team about any possible misuse of your accounts or authentication credentials or any security incident related to the Online Services.

f. Preview releases. We may make Previews available. Previews are provided “as-is,” “with all faults,” and “as-available,” and are excluded from the SLAs and all limited warranties provided in this agreement. Previews may not be covered by customer support. We may change or discontinue Previews at any time without notice. We also may choose not to release a Preview into general availability.

g. Managed Services for Microsoft Azure. You may use Microsoft Azure Services to provide a Managed Service Solution provided (1) you have the sole ability to access, configure, and administer the Microsoft Azure Services, (2) You have administrative access to the virtual OSE(s), if any, in the Managed Service Solution, and (3) the third party has administrative access only to its application(s) or virtual OSE(s). You are responsible for the third party’s use of Microsoft Azure Services in accordance with the terms of this agreement. Your provision of Managed Services remains subject to the following limitations in the Online Services Terms:

(i) you may not resell or redistribute the Microsoft Azure Services, and

(ii) you may not allow multiple users to directly or indirectly access any Microsoft Azure Services feature that is made available on a per user basis.

h. Additional Software for use with the Online Services To enable optimal access to and use of certain Online Services, you may install and use certain Software in connection with your use of the Online Service as described in the Online Services Terms. We license Software to you; we do not sell it. Proof of your Software license is (1) this agreement, (2) any order confirmation, and (3) proof of payment. Your rights to access Software on any device do not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that access that device.

2. Purchasing services.

a. Available Subscription offers The Portal provides Offer Details for available Subscription offers, which generally can be categorized as one or a combination of the following:

(i) Commitment Offering. You commit in advance to purchase a specific quantity of Online Services for use during a Term and to pay upfront or on a periodic basis in advance of use. With respect to Microsoft Azure Services, additional or other usage (for example, usage beyond your commitment quantity) may be treated as a Consumption Offering. Committed quantities not used during the Term will expire at the end of the Term.

(ii) Consumption Offering (also called Pay-As-You-Go). You pay based on actual usage in the preceding month with no upfront commitment. Payment is on a periodic basis in arrears.

(iii) Limited Offering. You receive a limited quantity of Online Services for a limited term without charge (for example, as a Trial Subscription) or as part of another Microsoft offering (for example, MSDN). Provisions in this agreement with respect to pricing, cancellation fees, payment, and data retention may not apply.

b. Ordering.

(i) By ordering or renewing a Subscription, you agree to the Offer Details for that Subscription. Unless otherwise specified in those Offer Details, Online Services are offered on an “as available” basis. You may place orders for your Affiliates under this agreement and grant your Affiliates administrative rights to manage the Subscription, but Affiliates may not place orders under this agreement. You also may assign the rights granted under Section 1.a to a third party for use by that third party in your internal business. If you grant any rights to Affiliates or third parties with respect to Software or your Subscription, such Affiliates or third parties will be bound by this agreement and you agree to be jointly and severally liable, to the extent not prohibited expressly by applicable law, for any actions of such Affiliates or third parties related to their use of the Products.

(ii) Some offers may permit you to modify the quantity of Online Services ordered during the Term of a Subscription. Additional quantities of Online Services added to a Subscription will expire at the end of that Subscription. If you decrease the quantity during a Term, we may charge you a cancellation fee for the decrease in quantity as described below in Section 3.b.

c. Pricing and payment. Payments are due and must be made according to the Offer Details for your Subscription.

(i) For Commitment Offerings, the price level may be based on the quantity of Online Services you ordered. Some offers may permit you to modify the quantity of Online Services ordered during the Term and your price level may be adjusted accordingly, but price level changes will not be retroactive. During the Term of your Subscription, prices for Online Services will not be increased, as to your Subscription, from those posted in the Portal at the time your Subscription became effective or was renewed, except where prices are identified as temporary in the Offer Details, or for Previews or Non-Microsoft Products. All prices are subject to change at the beginning of any Subscription renewal.

(ii) For Consumption Offerings, pricing is subject to change at any time upon notice.

d. Renewal.

(i) Upon renewal of your Subscription, this agreement will terminate, and your Subscription will thereafter be governed, by the terms and conditions set forth in the Portal on the date on which your Subscription is renewed (the “Renewal Terms”). If you do not agree to any Renewal Terms, you may decline to renew your Subscription.

(ii) For Commitment Offerings, you may choose to have a Subscription automatically renew or terminate upon expiration of the Term. Automatic renewal is pre-selected. You can change your selection at any time during the Term. If the existing Term is longer than one calendar month, we will provide you with notice of the automatic renewal before the expiration of the Term.

(iii) For Consumption Offerings, unless prohibited by applicable law, your Subscription will renew automatically for additional one-month terms until you terminate the Subscription.

(iv) For Limited Offerings or Trial Subscriptions, renewal may not be permitted.

e. Eligibility for Academic, Government and Nonprofit versions. You agree that if you are purchasing an academic, government or nonprofit offer, you meet the respective eligibility requirements listed at the following sites:

(i) For academic offers, the requirements for educational institutions (including administrative offices or boards of education, public libraries, or public museums) listed at http://go.microsoft.com/?linkid=9862882;

(ii) For government offers, the requirements listed at http://go.microsoft.com/?linkid=9862883; and

(iii) For nonprofit offers, the requirements listed at http://www.microsoftvolumelicensing.com/userights/DocumentSearch.aspx?Mode=3&DocumentTypeId=19.

Microsoft reserves the right to verify eligibility at any time and suspend the Online Service if the eligibility requirements are not met.

f. Taxes.

Prices are exclusive of any taxes unless otherwise specified on the invoice as tax inclusive. You must pay any applicable value added, goods and services, sales, gross receipts, or other transaction taxes, fees, charges or surcharges, or any regulatory cost recovery surcharges or similar amounts that are owed under this agreement and which we are permitted to collect from you under applicable law, if any. You will be responsible for any applicable stamp taxes and for all other taxes that you are legally obligated to pay, if any, including any taxes that arise on the distribution or provision of Products to your Affiliates. We will be responsible for all taxes based on our net income, gross receipts taxes imposed in lieu of taxes on income or profits, or taxes on our property ownership.

If any taxes are required to be withheld on payments you make to us, you may deduct such taxes from the amount owed to us and pay them to the appropriate taxing authority; provided, however, that you promptly secure and deliver an official receipt for those withholdings and other documents we reasonably request to claim a foreign tax credit or refund. You must ensure that any taxes withheld are minimized to the extent possible under applicable law.

3. Term, termination, and suspension.

a. Agreement term and termination. This agreement will remain in effect until the expiration, termination, or renewal of your Subscription, whichever is earliest.

b. Subscription termination. You may terminate a Subscription at any time during its Term; however, you must pay all amounts due and owing before the termination is effective.

(i) One-Month Subscription. A Subscription having a one-month Term may be terminated anytime without any cancellation fee.

(ii) Subscriptions of more than one-month. If you terminate a Subscription to Microsoft Azure Services within 30 days of the date on which the Subscription became effective or was renewed, no refunds will be provided and you must pay for the initial 30 days of the Subscription, but no payments will be due for the remaining portion of the terminated Subscription. If you terminate a Subscription to Microsoft Azure Services at any other time during the term, you must pay for the remainder of the Term, and no refunds will be provided.

For all other Online Services, if you terminate a Subscription before the end of the Term, you must pay a fee equal to one-month’s Subscription fee and you will receive a refund of any portion of the Subscription fee you have paid for the remainder of the Term; provided, however, no refunds will be provided for partially unused months.

c. Suspension. We may suspend your use of the Online Services if: (1) it is reasonably needed to prevent unauthorized access to Customer Data; (2) you fail to respond to a claim of alleged infringement under Section 5 within a reasonable time; (3) you do not pay amounts due under this agreement; or (4) you do not abide by the Acceptable Use Policy or you violate other terms of this agreement. If one or more of these conditions occurs, then:

(i) For Limited Offerings, we may suspend your use of the Online Services or terminate your Subscription and your account immediately without notice, if not prohibited by applicable law.

(ii) For all other Subscriptions, a suspension will apply to the minimum necessary part of the Online Services and will be in effect only while the condition or need exists. We will give notice before we suspend, except where we reasonably believe we need to suspend immediately. We will give at least 30 days' notice before suspending for non-payment. If you do not fully address the reasons for the suspension within 60 days after we suspend, we may terminate, if not prohibited by applicable law, your Subscription and delete your Customer Data without any retention period. We may, if not prohibited by applicable law, also terminate your Subscription if your use of the Online Services is suspended more than twice in any 12-month period.

4. Warranties.

a. Limited warranty.

(i) Online Services. We warrant that the Online Services will meet the terms of the SLA during the Term. Your only remedies for breach of this warranty are those in the SLA.

(ii) Software. We warrant for one year from the date you first use the Software that it will perform substantially as described in the applicable user documentation. If Software fails to meet this warranty we will, at our option and as your exclusive remedy, either (1) return the price paid for the Software or (2) repair or replace the Software.

b. Limited warranty exclusions. This limited warranty is subject to the following limitations:

(i) any implied warranties, guarantees or conditions not able to be disclaimed as a matter of law will last one year from the start of the limited warranty;

(ii) this limited warranty does not cover problems caused by accident, abuse or use of the Products in a manner inconsistent with this agreement or our published documentation or guidance, or resulting from events beyond our reasonable control;

(iii) this limited warranty does not apply to problems caused by a failure to meet minimum system requirements; and

(iv) this limited warranty does not apply to Previews or Limited Offerings.

c. DISCLAIMER. Other than this warranty, and to the extent not prohibited by applicable law, we provide no warranties, whether express, implied, statutory, or otherwise, including warranties of merchantability or fitness for a particular purpose. These disclaimers will apply except to the extent applicable law does not permit them.

5. Defense of claims.

a. Defense.

(i) We will defend you against any claims made by an unaffiliated third party that a Product infringes that third party’s patent, copyright or trademark or makes unlawful use of its trade secret.

(ii) To the extent not prohibited by applicable law and to the extent subsection (iii) below does not apply to you, you will defend us against any claims made by an unaffiliated third party that (1) any Customer Data, Customer Solution, or Non-Microsoft Products, or services you provide, directly or indirectly, in using a Product infringes the third party’s patent, copyright, or trademark or makes unlawful use of its trade secret; or (2) arises from violation of the Acceptable Use Policy.

(iii) If you are a Federal Agency, subsection (ii) above shall not apply. However, you agree that use of any Customer Data, Customer Solution, or non-Microsoft Products, or services you provide, directly or indirectly, in using a Product will not infringe any third party's patent, copyright or trademark or make unlawful use of any third party's trade secret. In addition, you will not use an Online Service in violation of the Acceptable Use Policy.

b. Limitations. Our obligations in Section 5a won’t apply to a claim or award based on: (i) any Customer Solution, Customer Data, Non-Microsoft Products, modifications you make to the Product, or services or materials you provide or make available as part of using the Product; (ii) your combination of the Product with, or damages based upon the value of, Customer Data, or a Non-Microsoft Product, data, or business process; (iii) your use of a Microsoft trademark without our express written consent, or your use of the Product after we notify you to stop due to a third-party claim; (iv) your redistribution of the Product to, or use for the benefit of, any unaffiliated third party; or (v) Products provided free of charge

c. Remedies. If we reasonably believe that a claim under Section 5.a.(i) may bar your use of the Product, we will seek to: (i) obtain the right for you to keep using it; or (ii) modify or replace it with a functional equivalent and notify you to stop use of the prior version of the Product. If these options are not commercially reasonable, we may terminate your rights to use the Product and then refund any advance payments for unused Subscription rights.

d. Obligations. Each party must notify the other promptly of a claim under this Section. The party seeking protection must (i) give the other sole control over the defense and settlement of the claim (provided that for any Federal Agency Customers, the control of the defense and settlement is subject to 28 U.S.C. 516); and (ii) give reasonable help in defending the claim. The party providing the protection, if and as applicable, will (1) reimburse the other for reasonable out-of-pocket expenses that it incurs in giving that help and (2) pay the amount of any resulting adverse final judgment or settlement. The parties’ respective rights to defense and payment of judgments (or settlement the other consents to) under this Section 5 are in lieu of any common law or statutory indemnification rights or analogous rights, and each party waives such common law or statutory rights.

e. Notwithstanding the foregoing, and solely with respect to Federal Agency customers, Microsoft’s rights set forth in this section (and the rights of the third party claiming infringement) shall be governed by the provisions of 28 U.S.C. § 1498.

6. Limitation of liability.

a. Limitation. The aggregate liability of each party for all claims under this agreement is limited to direct damages up to the amount paid under this agreement for the Online Service during the 12 months before the cause of action arose; provided, that in no event will a party’s aggregate liability for any Online Service exceed the amount paid for that Online Service during the Subscription. For Products provided free of charge, Microsoft’s liability is limited to direct damages up to $5000.

b. EXCLUSION. To the extent not prohibited by law, neither party will be liable for loss of revenue or indirect, special, incidental, consequential, punitive, or exemplary damages, or damages for lost profits, revenues, business interruption, or loss of business information, even if the party knew they were possible or reasonably foreseeable.

c. Exceptions to limitations. The limits of liability in this Section apply to the fullest extent permitted by applicable law, but do not apply to: (1) the parties' obligations under Section 5; or (2) violation of the other's intellectual property rights.

d. Federal Agencies. For Customers that are Federal Agencies, this Section shall not impair your right to recover for fraud or crimes arising out of or related to this Agreement under any federal fraud statute, including the False Claims Act, 31 U.S.C. §§ 3729-3733.

7. Government Community Cloud.

If you are purchasing a Government Community Cloud offering, the following additional terms apply:

a. Community requirements. You certify you are a member of the Community and agree to use Government Community Cloud Services solely in your capacity as member of the Community and for the benefit of end users that are members of the Community. Use of Government Community Cloud Services by an entity that is not a member of the Community or to provide services to non-Community members is strictly prohibited and could result in termination of this Agreement and/ or your license(s) for Government Community Cloud Services. You acknowledge that only Community members may use Government Community Cloud Services.

(i) All terms and conditions applicable to non-Government Community Cloud Services also apply to their corresponding Government Community Cloud Services, except as otherwise noted in the Online Services Terms.

(ii) You may not deploy or use Government Community Cloud Services and corresponding non-Government Community Cloud Services in the same domain.

(iii) You must maintain its status as a member of the Community throughout the duration of the term for your Government Community Cloud Services. Maintaining status as a member of the Community is a material requirement for such services.

b. Online Services Terms for Government Community Cloud Services For Government Community Cloud Services, notwithstanding anything to the contrary in the Online Services Terms:

(i) Government Community Cloud Services will be offered only within the United States.

(ii) Additional European Terms, as set forth in the Online Services Terms, will not apply.

(iii) References to geographic areas in the Online Services Terms with respect to the location of Customer Data at rest, as set forth in the Online Services Terms, refer only to the United States.

c. Control Standards and Frameworks. Notwithstanding the Data Processing Terms section of the Online Services Terms, Azure Government Services are not subject to the same control standards and frameworks as the Microsoft Azure Core Services. The Compliance Trust Center Page describes the control standards and frameworks with which Azure Government Services comply

8. ITAR Covered Services.

This section applies to only the ITAR Covered Services, defined below, you buy under the Subscription. These terms only apply if you provide express notice to Microsoft of your intent to manage ITAR controlled data in the Customer Data during the eligibility validation phase of the online application process.

a. Your Prerequisites:

(i) You are responsible for ensuring that the prerequisites established or required by the ITAR are fulfilled prior to introducing ITAR-controlled data into the ITAR Covered Services.

(ii) You acknowledge that the ITAR Covered Services ordered by you under the Enrollment enable End Users optionally to access and use a variety of additional resources, applications, or services that are (a) provided by third parties, or (b) provided by Microsoft subject to their own terms of use or privacy policies (collectively, for convenience, “add-ons”), as described in services documentation and/or in the portal through which your administrator(s) will manage and configure the ITAR Covered Services.

(iii) You are responsible for reviewing Online Services documentation, configuring the ITAR Covered Services, and adopting and implementing such policies and practices for your End Users’ use of ITAR Covered Services, together with any add-ons, as you determine are appropriate to comply with the ITAR or other legal or regulatory requirements applicable to you and not generally applicable to Microsoft as an IT service provider.

(iv) You acknowledge that only ITAR Covered Services will be delivered subject to the terms of this Section. Processing and storage of ITAR-controlled data in other services, including without limitation add-ons, is not supported. Without limiting the foregoing, data that you elect to provide to the Microsoft technical support organization, if any, or data provided by or on your behalf to Microsoft’s billing or commerce systems in connection with purchasing or ordering ITAR Covered Services, if any, is not subject to the provisions of this Section. You are solely responsible for ensuring that ITAR-controlled data is not included in support information or support case artifacts.

b. Special Terms.

(i) ITAR Covered Services. The ITAR Covered Services are cloud services operated in a standardized manner with features and processes common across multiple customers. As part of your preparation to use the ITAR Covered Services for the storage, processing, or transmission of ITAR-controlled data, you should review applicable services documentation. Your compliance with the ITAR will be dependent, in part, on your configuration of the services and adoption and implementation of policies and practices for your End Users’ use of ITAR Covered Services. You are solely responsible for determining the appropriate policies and practices needed for compliance with the ITAR.

c. Personnel. Microsoft personnel and contractors authorized by Microsoft to access Customer Data (that may include ITAR-controlled data) in the ITAR Covered Services, will be limited to U.S. persons, as that term is defined in the ITAR. You may also authorize Microsoft personnel and contractors to access its Customer Data. You are solely responsible for ensuring any such authorization is permissible under the ITAR.

d. Use of Subcontractors. As set forth in the OST, Microsoft may hire subcontractors to provide services on its behalf. Any such subcontractors used in delivery of the ITAR Covered Services will be permitted to obtain Customer Data (that may include ITAR-controlled data) only to deliver the ITAR Covered Services Microsoft has retained them to provide and will be prohibited from using Customer Data for any other purpose. Storage and processing of Customer Data in the ITAR Covered Services is subject to Microsoft security controls at all times and, to the extent subcontractor personnel perform services in connection with ITAR Covered Services, they are obligated to follow Microsoft’s policies, including without limitation the geographic restrictions and controls selected by you in the configuration of the ITAR Covered Services. Microsoft remains responsible for its subcontractors’ compliance with Microsoft’s obligations.

e. Notification The Security Incident handling process defined in the OST will apply to the ITAR Covered Services. In addition, the parties agree to the following:

(i) You acknowledge that effective investigation or mitigation of a Security Incident involving ITAR-controlled data may be dependent upon information or services configurations within Enrolled Affiliate’s control. Accordingly, proper treatment of ITAR-controlled data will be a joint obligation between Microsoft and you. If you become aware of any unauthorized release of ITAR-controlled data to Microsoft or the use of a service other than the ITAR Covered Service to store, process, or transmit ITAR-controlled data, you will promptly notify Microsoft of such event and provide reasonable assistance and information necessary for Microsoft to investigate and report such event.

(ii) If, subsequent to notification of a Security Incident by Microsoft, you determine that ITAR-controlled data may have been subject to unauthorized inspection or disclosure, it is your responsibility to notify the appropriate authorities of such event, or to notify impacted individuals, if you determine such notification is required under applicable law or regulation or your internal policies

(iii) If either party determines it is necessary or prudent to make a voluntary disclosure to the Directorate of Defense Trade Controls regarding the treatment of ITAR-controlled data in the Online Services, such party will work in good faith to notify the other party of such voluntary disclosure prior to providing such voluntary disclosure. The parties will work together in good faith in the development and reporting of any such voluntary disclosure.

f. Conflicts. If there is any conflict between any provision in this Section and any provision in the agreement, this Section shall control.

9. IRS 1075 Covered Services.

This section applies to only the IRS 1075 Covered Services, defined below, you buy under the Subscription

a. Your Prerequisites:

(i) You are responsible to ensure that the prerequisites established or required by IRS Publication 1075 are fulfilled prior to introducing FTI into the IRS 1075 Covered Services.

(ii) You acknowledge that the IRS 1075 Covered Services ordered by you under the Subscription enable End Users optionally to access and use a variety of additional resources, applications, or services that are (a) provided by third parties, or (b) provided by Microsoft subject to their own terms of use or privacy policies (collectively, for convenience, “add-ons”), as described in services documentation and/or in the portal through which your administrator(s) will manage and configure the IRS 1075 Covered Services.

(iii) You are responsible to review Online Services documentation, configure the services, and adopt and implement such policies and practices for your End Users’ use of IRS 1075 Covered Services, together with any add-ons, as you determine are appropriate in order for you to comply with IRS Publication 1075 or other legal or regulatory requirements applicable to you and not generally applicable to Microsoft as an IT service provider.

(iv) You acknowledge that only IRS 1075 Covered Services will be delivered subject to the terms of this Section 9. No other services are supported by the terms of this Section 9. Without limiting the foregoing, data that you elect to provide to the Microsoft technical support organization (“Support Data”), if any, or data provided by or on your behalf to Microsoft’s billing or commerce systems in connection with purchasing/ordering IRS 1075 Covered Services (“Billing Data”), if any, is not subject to the provisions of this Section 9. You are solely responsible for ensuring that FTI is not provided as Support Data or Billing Data.

b. IRS Publication 1075 Special Terms.

(i) IRS 1075 Covered Services. The IRS 1075 Covered Services are cloud services operated in a standardized manner with features and processes common across multiple customers. As part of your preparation to use the services for FTI, you should review applicable services documentation. Enrolled Affiliate’s compliance with IRS Publication 1075 will be dependent, in part, on your configuration of the services and adoption and implementation of policies and practices for your End Users’ use of IRS 1075 Covered Services. You are solely responsible for determining the appropriate policies and practices needed for compliance with IRS Publication 1075.

(ii) Attachment 1 contains the Safeguarding Contract Language for Technology Services specified by IRS Publication 1075. Microsoft and you have agreed that certain requirements of the Safeguarding Contract Language and IRS Publication 1075 will be fulfilled as set forth in the remainder of this section 9.

(iii) Personnel Records and Training. Microsoft will maintain a list of screened personnel authorized to access Customer Data (that may include FTI) in the IRS 1075 Covered Services, which will be available to you or to the IRS upon written request. You will treat Microsoft personnel personally identifiable information (PII) as Microsoft trade secret or security-sensitive information exempt from public disclosure to the maximum extent permitted by applicable law, and, if required to provide such Microsoft personnel PII to the IRS, will require the IRS to treat such personnel PII the same.

(iv) Training Records. Microsoft will maintain security and disclosure awareness training records as required by IRS Publication 1075, which will be available to you upon written request.

(v) Confidentiality Statement. Microsoft will maintain a signed confidentiality statement, and will provide a copy for inspection upon request.

(vi) Cloud Computing Environment Requirements. The IRS 1075 Covered Services are provided in accordance with the FedRAMP System Security Plan for the applicable services. Microsoft’s compliance with controls required by IRS Publication 1075, including without limitation encryption and media sanitization controls, can be found in the applicable FedRAMP System Security Plan.

(vii) Use of Subcontractors. Notwithstanding anything to the contrary in Attachment 1, as set forth in the OST, Microsoft may use subcontractors to provide services on its behalf. Any such subcontractors used in delivery of the IRS 1075 Covered Services will be permitted to obtain Customer Data (that may include FTI) only to deliver the services Microsoft has retained them to provide and will be prohibited from using Customer Data for any other purpose. Storage and processing of Customer Data in the IRS 1075 Covered Services is subject to Microsoft security controls at all times and, to the extent subcontractor personnel perform services in connection with IRS 1075 Covered Services, they are obligated to follow Microsoft’s policies. Microsoft remains responsible for its subcontractors’ compliance with Microsoft’s obligations. Subject to the preceding, Microsoft may employ subcontractor personnel in the capacity of augmenting existing staff, and understands IRS Publication 1075 reference to employees to include employees and subcontractors acting in the manner specified herein. It is the responsibility of the Enrolled Affiliate to gain approval of the IRS for the use of all subcontractors.

(viii) Microsoft maintains a list of subcontractor companies who may potentially provide personnel authorized to access Customer Data in the Online Services, published for Azure branded services at http://azure.microsoft.com/en-us/support/trust-center/ , or successor locations identified by Microsoft. Microsoft will update these websites at least 14 days before authorizing any new subcontractor to access Customer Data, Microsoft will update the website and provide you with a mechanism to obtain notice of that update.

(ix) Security Incident Notification. The Security Incident handling process defined in the OST will apply to the IRS 1075 Covered Services. In addition, the parties agree to the following:

1. You acknowledge that effective investigation or mitigation of a Security Incident may be dependent upon information or services configurations within your control. Accordingly, compliance with IRS Publication 1075 Incident Response requirements will be a joint obligation between Microsoft and you.

2. If, subsequent to notification from Microsoft of a Security Incident, you determine that FTI may have been subject to unauthorized inspection or disclosure, it is your responsibility to notify the appropriate Agent-in-Charge, TIGTA (Treasury Inspector General for Tax Administration) and/or the IRS of a Security Incident, or to notify impacted individuals, if you determine this is required under IRS Publication 1075, other applicable law or regulation, or your internal policies.

c. Your Right to Inspect.

(i) Audit by you. You will, (i) be provided quarterly access to information generated by Microsoft’s regular monitoring of security, privacy, and operational controls in place to afford you an ongoing view into the effectiveness of such controls, (ii) be provided a report mapping compliance of the IRS 1075 Covered Services with NIST 800-53 or successor controls, (iii) upon request, be afforded the opportunity to communicate with Microsoft’s subject matter experts for clarification of the reports identified above, and (iv) upon request, and at your expense, be permitted to communicate with Microsoft’s independent third party auditors involved in the preparation of audit reports. You will use this information above to satisfy with any inspection requirements under IRS Publication 1075 and agree that the audit rights described in this section are in full satisfaction of any audit that may otherwise be requested by the you

(ii) Confidentiality of Audit Materials. Audit information provided by Microsoft to you will consist of highly confidential proprietary or trade secret information of Microsoft. Microsoft may request reasonable assurances, written or otherwise, that information will be maintained as confidential and/or trade secret information subject to this agreement prior to providing such information to Agency, and Agency will ensure Microsoft’s audit information is afforded the highest level of confidentiality available under applicable law.

(iii) This Section 9.c is in addition to compliance information available to you under the OST.

10. Criminal Justice Information Services (CJIS).

This section applies only to the Azure Government CJIS Covered Services, defined below, you buy under the Subscription.

a. Your Prerequisites:

(i) Microsoft’s representations as it relates to its CJIS Covered Services’ compliance with the FBI Criminal Justice Information Systems (“CJIS”) Security Addendum (Appendix H of FBI CJIS Policy) are subject to your incorporation of applicable state-specific CJIS Amendment terms and conditions into your Subscription. They are also subject to your incorporation and flow down of such terms in your contracts with a Covered Entity.

(ii) Please visit https://www.microsoft.com/en-us/TrustCenter/Compliance/CJIS for additional information about CJIS Covered States and CJIS Covered Services. Note that not all states are CJIS Covered States and that different CJIS Covered Services may apply in different CJIS Covered States. For more information about how to sign up for CJIS Covered Services through an Enterprise Agreement, please visit https://azure.microsoft.com/en-us/pricing/enterprise-agreement. For purposes of this section, if you are not in a CJIS Covered State, then Microsoft is unable to provide CJIS-related representations at this time, and no CJIS Amendment will apply,

(iii) You can access the terms and conditions of Microsoft’s adherence to the FBI CJIS Policy by contacting the CSA in a CJIS Covered State. The Security Addendum for Private Contractors (Cloud Providers) referenced in the FBI CJIS Policy and CSA-provided terms and conditions is incorporated herein by reference, and you acknowledge that Microsoft's support for CJI will be in accordance with those terms agreed to and/or signed by the applicable state CSA. You also acknowledge that it is your responsibility to contact the applicable state CSA for this and any additional information. You are required to, and acknowledge you will, work directly with the applicable state CSA for any CJIS-related documentation and audit requirements.

(iv) You are responsible to ensure that the CJIS Security Addendum has been signed by the CSA, that the CSA has approved your use of the Covered Services to store or process CJI, and that any other prerequisites established or required by either the FBI, state CSA, or you are fulfilled prior to introducing CJI into the Covered Services.

(v) You acknowledge that you will keep records of any Covered Entity to which you provide CJIS State Agreements or other CJIS-related documentation you obtain from the state CSA and shall make such records available to Microsoft promptly upon request.

b. If there is any conflict between any provision in this Section and any provision in the agreement, this Section shall control.

11. Miscellaneous

a. Notices. You must send notices by mail, return receipt requested, to the address below.

Microsoft Corporation

Volume Licensing Group

One Microsoft Way

Redmond, WA 98052

USA

Via Facsimile: (425) 936-7329

Microsoft Corporation

Legal and Corporate Affairs

Volume Licensing Group

One Microsoft Way

Redmond, WA 98052

USA

Via Facsimile: (425) 936-7329

You agree to receive electronic notices from us, which will be sent by email to the account administrator you specify in the Portal. Notices are effective on the date on the return receipt or, for email, when sent. You are responsible for ensuring that the account administrator email address that you specify in the Portal is accurate and current. Any email notice that we send to that email address will be effective when sent, whether or not you actually receive the email.

b. License Transfers and Assignment. You may not assign this agreement either in whole or in part or transfer licenses without Microsoft’s consent.

c. Consent to partner fees When you place an order, you may be given the opportunity, if applicable, to identify a “Partner of Record” associated with your Subscriptions. By identifying a Partner of Record, directly or by authorizing a third party to do so, you consent to our paying fees to the Partner of Record. The fees are for pre-sales support and may also include post-sales support. The fees are based on, and increase with, the size of your order. Our prices for Online Services are the same whether or not you identify a Partner of Record.

d. Severability. If any part of this agreement is held unenforceable, the rest remains in full force and effect.

e. Waiver. Failure to enforce any provision of this agreement will not constitute a waiver.

f. No agency. This agreement does not create an agency, partnership, or joint venture.

g. No third-party beneficiaries. There are no third-party beneficiaries to this agreement.

h. Applicable law and venue This agreement is governed by Washington law, without regard to its conflict of laws principles, except that (i) if you are a U.S. Government entity, this agreement is governed by the laws of the United States, and (ii) if you are a state or local government entity in the United States, this agreement is governed by the laws of that state. Any action to enforce this agreement must be brought in the State of Washington. This choice of jurisdiction does not prevent either party from seeking injunctive relief in any appropriate jurisdiction with respect to violation of intellectual property rights.

i. Entire agreement. This agreement is the entire agreement concerning its subject matter and supersedes any prior or concurrent communications. In the case of a conflict between any documents in this agreement that is not expressly resolved in those documents, their terms will control in the following order of descending priority: (1) this Microsoft Online Subscription Agreement, (2) the Online Services Terms, (3) the applicable Offer Details, and (4) any other documents in this agreement.

j. Survival. The terms in Sections 1, 2.e, 3.b, 4, 5, 6, 7, and 8 will survive termination or expiration of this agreement.

k. U.S. export jurisdiction. The Products are subject to U.S. export jurisdiction. You must comply with all applicable laws, including the U.S. Export Administration Regulations, the International Traffic in Arms Regulations, and end-user, end-use and destination restrictions issued by U.S. and other governments. For additional information, see http://www.microsoft.com/exporting/.

l. Force majeure. Neither party will be liable for any failure in performance due to causes beyond that party’s reasonable control (such as fire, explosion, power blackout, earthquake, flood, severe storms, strike, embargo, labor disputes, acts of civil or military authority, war, terrorism (including cyber terrorism), acts of God, acts or omissions of Internet traffic carriers, actions or omissions of regulatory or governmental bodies (including the passage of laws or regulations or other acts of government that impact the delivery of Online Services)). This Section will not, however, apply to your payment obligations under this agreement.

m. Contracting authority. If you are an individual accepting these terms on behalf of an entity, you represent that you have the legal authority to enter into this agreement on that entity’s behalf. If you specify an entity, or you use an email address provided by an entity you are affiliated with (such as an employer) in connection with a Subscription purchase or renewal, that entity will be treated as the owner of the Subscription for purposes of this agreement.

n. Additional Terms Applicable when you are a U.S. Federal Agency:

(i) No provisions of any shrink-wrap or any click-through agreement (or other similar form of agreement) that may be provided in conjunction with any Product(s) acquired under this agreement shall apply in place of, or serve to modify any provision of this agreement, even if your user or your authorized officer purports to have affirmatively accepted such shrink-wrap or click-through provisions. For the avoid of doubt and without limiting the foregoing, in the event of a conflict between any such shrink-wrap or click-through provisions (irrespective of the products or services that such provisions attach to) and any term or condition of this agreement, then the relevant term or condition of this agreement shall govern and supersede the purchase of such Product(s) to the extent of any such conflict. All acceptance of agreements and renewals shall be executed in writing.

(ii) If any document incorporated by reference into this Agreement, including the Product Terms and Online Service Terms included and/or referenced or incorporated herein and/or therein, contains a provision (a) allowing for the automatic termination of your license rights or Online Services; (b) allowing for the automatic renewal of services and/or fees; (c) requiring the governing law to be anything other than Federal law; and/or (d) otherwise violates applicable Federal law, then, such terms shall not apply with respect to the Federal Government. If any document incorporated by reference into this agreement, including the Product Terms and Online Service Terms included and/or referenced or incorporated herein and/or therein contains an indemnification provision, such provision shall not apply as to the United States indemnifying Microsoft or any other party.

12. Definitions.

Any reference in this agreement to “day” will be a calendar day.

“Acceptable Use Policy” is set forth in the Online Services Terms.

“Affiliate” means any legal entity that a party owns, that owns a party, or that is under common ownership with a party. “Ownership” means, for purposes of this definition, control of more than a 50% interest in an entity.

“Azure Government Services” means one or more of the services or features Microsoft makes available to Enrolled Affiliate under this Enrollment and identified at http://azure.microsoft.com/regions/#services, which are Government Community Cloud Services.

“CJI” means Criminal Justice Information, as defined in FBI CJIS Policy.

“CJIS Covered State” means a state, as shown at https://www.microsoft.com/TrustCenter/Compliance/CJIS or another site Microsoft may provide, with which Microsoft and the applicable state have entered into a CJIS State Agreement.

“CJIS Covered Service” means, for any state-specific CJIS Amendment, the Microsoft Online Services that are listed as such in that amendment, and for which Microsoft’s CJIS representations apply.

“CJIS State Agreement” means an agreement between Microsoft and a Covered State’s CSA (or another entity to which the CSA has delegated its duties) containing terms and conditions under which the Covered State and Microsoft will comply with the applicable requirements of the CJIS Policy. Each CJIS State Agreement is consistent with the applicable state-specific CJIS Amendment, and includes Microsoft CJIS Security Addendum Certifications. For clarity, a CJIS State Agreement may be titled “CJIS Information Agreement” or “CJIS Management Agreement.”

“Community” means the community consisting of one or more of the following: (1) a Government, (2) a Customer using eligible Government Community Cloud Services to provide solutions to a Government or a qualified member of the Community, or (3) a Customer with Customer Data that is subject to Government regulations for which the Customer determines and Microsoft agrees that the use of Government Community Cloud Services is appropriate to meet the Customer’s regulatory requirements. Membership in the Community is ultimately at Microsoft’s discretion, which may vary by Government Community Cloud Service.

“Compliance Trust Center Page” means the compliance page of the Microsoft Trust Center, published by Microsoft at https://www.microsoft.com/TrustCenter/Compliance/default.aspx or a successor site Microsoft later identifies.

“Consumption Offering”, “Commitment Offering”, or “Limited Offering” describe categories of Subscription offers and are defined in Section 2.

“Covered Entity” means any State/Local Entity in a Covered State with which you maintain a contractual relationship whose use of CJIS Covered Services is subject to CJIS Policy.

“CSA” means, for each CJIS Covered State, that state’s CJIS Systems Agency, as defined in FBI CJIS Policy.

“Customer Data” is defined in the Online Services Terms.

“Customer Solution” is defined in the Online Services Terms.

“Defense Article” has the meaning provided in 22 C.F.R. § 120.

“Defense Service” has the meaning provided in 22 C.F.R. § 120.

“End User” means any person you permit to access Customer Data hosted in the Online Services or otherwise use the Online Services, or any user of a Customer Solution. With respect to ITAR Covered Services, End User means an individual that accesses the ITAR Covered Services. With respect to IRS 1075 Covered Services, End User means an individual that accesses the IRS 1075 Covered Services. “Federal Agency” means a bureau, office, agency, department or other entity of the United States Government.

“FTI” is defined as in IRS Publication 1075.

“Government” means a Federal Agency, State/Local Entity, or Tribal Entity acting in its governmental capacity.

“Government Community Cloud Services” means Microsoft Online Services that are provisioned in Microsoft’s multi-tenant data centers for exclusive use by or for the Community and offered in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-145. Microsoft Online Services that are Government Community Cloud Services are designated as such in the Use Rights and Product Terms.

“IRS 1075 Covered Services” means Azure Government services listed as being in the scope for IRS 1075 at http://azure.microsoft.com/support/trust-center/compliance/irs1075/ or its successor site. Without limitation, IRS 1075 Covered Services do not include any other separately branded Online Services.

“IRS Publication 1075” means the Internal Revenue Services (IRS) Publication 1075 effective January 1, 2014, including updates (if any) released by the IRS during the term of the Enrollment.

“ITAR” means the International Traffic in Arms Regulations, found at 22 C.F.R. §§ 120 - 130.

“ITAR-controlled data” means Customer Data that is regulated by the ITAR as Defense Articles or Defense Services.

“ITAR Covered Services” means, solely with respect to this Agreement, the Azure Government services, listed as being in the scope for the ITAR at https://www.microsoft.com/TrustCenter/Compliance/itar or its successor site.

“Managed Service Solution” means a managed IT service you provide to a third party that consists of the administration of and support for Microsoft Azure Services.

“Microsoft Azure Services” means one or more of the Microsoft services and features identified at http://azure.microsoft.com/services, except where identified as licensed separately.

“Non-Microsoft Product” is defined in the Online Services Terms.

“Offer Details” means the pricing and related terms applicable to a Subscription offer, as published in the Portal.

“Online Services” means any of the Microsoft-hosted online services subscribed to by Customer under this agreement, including Government Community Cloud Services and Dynamics CRM Online Services, Office 365 Services, Microsoft Azure Services, or Microsoft Intune Online Services.

“Online Services Terms” or “OST” means the terms that apply to your use of the Products available at http://www.microsoft.com/licensing/onlineuserights. The Online Services Terms include terms governing your use of Products that are in addition to the terms in this agreement.

“Previews” means preview, beta, or other pre-release version or feature of the Online Services or Software offered by Microsoft to obtain customer feedback.

“Portal” means the Online Services’ respective web sites that can be found at http://www.microsoft.com/licensing/online-services/default.aspx, http://azure.microsoft.com/pricing/, or at an alternate website we identify.

“Product” means any Online Service (including any Software).

“Product Terms” means the document that provides information about Microsoft Products available through volume licensing. The Product Terms document is published on the Volume Licensing Site at http://www.microsoftvolumelicensing.com and is updated from time to time.

“SLA” means the commitments we make regarding delivery and/or performance of an Online Service, as published at http://azure.microsoft.com/support/legal/sla/, or at an alternate site that we identify.

“Software” means Microsoft software we provide for installation on your device as part of your Subscription or to use with the Online Service to enable certain functionality.

“Subscription” means an enrollment for Online Services for a defined Term as specified on the Portal. You may purchase multiple Subscriptions, which may be administered separately and which will be governed by the terms of a separate Microsoft Online Subscription Agreement.

“State/Local Entity” means (1) any agency of a state or local government in the United States, or (2) any United States county, borough, commonwealth, city, municipality, town, township, special purpose district, or other similar type of governmental instrumentality established by the laws of Customer’s state and located within Customer’s state’s jurisdiction and geographic boundaries.

“Technical Data” has the meaning provided in 22 C.F.R. § 120.

“Term” means the duration of a Subscription (e.g., 30 days or 12 months).

“Tribal Entity” means a federally-recognized tribal entity performing tribal governmental functions and eligible for funding and services from the U.S. Department of Interior by virtue of its status as an Indian tribe.

“Use Rights,” means, with respect to any licensing program, the use rights or terms of service for each Product and version published for that licensing program at the Volume Licensing Site. The Use Rights supersede the terms of any end user license agreement (on-screen or otherwise) that accompanies a Product. The Use Rights for Software are published by Microsoft in the Product Terms. The Use Rights for Online Services are published in the Online Services Terms.

ATTACHMENT 1

Internal Revenue Services

Federal Tax Information

Safeguarding Addendum

In performance of its obligations to deliver the IRS 1075 Covered Services under the Subscription, Microsoft agrees to comply with the requirements contained in Exhibit 7 (Safeguarding Contract Language for Technology Services) from IRS Publication 1075, as set forth below. For purposes of this Attachment 1, “contractor” refers to Microsoft, “agency” refers to you, and “contract” refers to the Subscription, inclusive of the terms in Section 9 of the Agreement.

I. PERFORMANCE

In performance of this contract, the contractor agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements:

(1) All work will be performed under the supervision of contractor or the contractor’s responsible employees.

(2) Any return or return information made available shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this Addendum. Disclosure to anyone other than an officer or employee of the contractor will be prohibited.

(3) All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material.

(4) The contractor certifies that the data processed during the performance of this contract will be completely purged from all data storage components of their computer facility, and no output will be retained by contractor at the time the work is completed. If immediate purging of all data storage components is not possible, contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures.

(5) Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the agency or his or her designee. When this is not possible, contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts, and will provide the agency or his or her designee with a statement containing the date of destruction, description of material destroyed, and the method used.

(6) All computer systems receiving, processing, storing, or transmitting FTI must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to Federal Tax Information.

(7) No work involving Federal Tax Information furnished under this contract will be subcontracted without prior written approval of the IRS.

(8) The contractor will maintain a list of employees authorized access. Such list will be provided to the enrolled Affiliate and, upon request, to the IRS reviewing office.

(9) The agency will have the right to void the contract if the contractor fails to provide the safeguards described above.

II. CRIMINAL/CIVIL SANCTIONS

(1) Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5000 or imprisonment for as long as 5 years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRCs 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1.

(2) Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1000 or imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee [United States for Federal employees] in an amount equal to the sum of the greater of $1000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431.

(3) Additionally, it is incumbent upon the contractor to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5000.

(4) Granting a contractor access to FTI must be preceded by certifying that each individual understands the agency’s security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The initial certification and recertification must be documented and placed in the agency’s files for review. As part of the certification and at least annually afterwards, contractors must be advised of the provisions of IRCs 7431, 7213, and 7213A (see Exhibit 4, Sanctions for Unauthorized Disclosure, and Exhibit 5, Civil Damages for Unauthorized Disclosure). The training provided before the initial certification and annually thereafter must also cover the incident response policy and procedure for reporting unauthorized disclosures and data breaches. (See Section 10) For both the initial certification and the annual certification, the contractor must sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements.

III. INSPECTION

The IRS and the Agency shall have the right to send its officers and employees into the offices and plants of the contractor for inspection of the facilities and operations provided for the performance of any work under this contract. On the basis of such inspection, specific measures may be required in cases where the contractor is found to be noncompliant with contract safeguards.