MASTER CONTENT PROVIDER AGREEMENT
Exhibit 10.6
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
MASTER CONTENT PROVIDER AGREEMENT
THIS AGREEMENT is made on the 3rd day of June, 2009
BETWEEN
MAXIS MOBILE SERVICES SDN BHD (Company Registration Number : 73315-V), a company incorporated in Malaysia and having its registered office at Level 18, Menara Maxis, Kuala Lumpur City Centre, Off Jalan Ampang, 50088 Kuala Lumpur (Maxis)
AND
Vringo, Inc. a company incorporated in Delaware and having its registered office at 85 5th avenue, New York, NY 10003 (the Content Provider).
Maxis and Content Provider are individually referred to as the Party and collectively as the Parties.
PREAMBLE
A. | Whereas Maxis is licensed by the relevant authorities to operate, maintain and supply telecommunication services including GSM mobile telecommunications services and communication products ancillary to these services including providing Internet access to its Users. |
B. | Whereas the Content Provider is in the business of producing / sourcing and providing the Content specified in Appendix 1 and desires to make the Content accessible to the Subscribers. |
C. | Whereas both Parties are desirous of entering into this Agreement for the purpose of making the Content available to the Subscribers under the terms and conditions as set out in this Agreement. |
IN CONSIDERATION of the mutual obligations and undertakings set forth below, IT IS HEREBY AGREED as follows:
1. | DEFINITIONS AND INTERPRETATIONS |
1.1 | In this Agreement, unless the context otherwise requires, the following words and phrases shall have the respective meanings assigned to them as follows: |
Agreement | means this Master Content Provider Agreement signed between the Parties. All Appendices attached and any amendments to this Agreement and the Appendices in accordance with Clause 13.2 as may be added from time to time shall form an integral part of this Agreement; | |
CMA | means the Communications and Multimedia Act 1998, as amended or revised from time to time; | |
Content | means the content more particularly described in Appendix 1 including but not limited to text, articles editorials, news, tutorials, tips, suggestions, graphics, photographs, video, audio, all headlines, abstracts, meta tags |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
and/or data or information relating to any subject and/or advertisements, embedded software therein provided or made available by the Content Provider and/or any application required to deliver the Content to Maxis by this Agreement and reference to Content includes any new content added to this Agreement in accordance with Clause 13; | ||
Confidential Information | means all information of any kind, whether communicated verbally, in printed or electronic form, including (but not limited to) technical information, data, know-how and information relating to either Partys (or its respective holding, related or subsidiary companies) business, marketing strategies, Users personal data, financial condition and operations whether or not labelled as Confidential and submitted by one Party to the other, whether before or after the Effective Date, for the purposes relating to this Agreement; | |
Content Code | means the Malaysian Communications and Multimedia Content Code including any subcodes, as amended or revised from time to time; | |
Effective Date | means the date specified in Appendix 1; | |
Force Majeure | means any circumstance beyond the reasonable control of a Party which results in that Party being unable to observe or perform on time an obligation under this Agreement, including but not limited to, acts of God, floods, storms, and any other natural disaster, acts of war, civil commotion, malicious damage, strikes or fire. An event or act shall not be excused or delayed by Force Majeure if it could reasonably be circumvented through use of alternative sources, work around plans or other means as may be agreed between the Parties; | |
General Consumer Code | means the General Consumer Code of Practice for the Communications and Multimedia Industry Malaysia, as amended or revised from time to time; | |
Intellectual Property Rights | means all rights in and to trade secrets, patent, copyright, service marks, trade marks, Confidential Information, know-how, moral rights and similar rights of any type, under the laws of any relevant governmental authority, domestic or foreign including all applications and registrations relating to any of the foregoing; | |
Internet | means a global network of interconnected computer networks, each using the Transmission Control Protocol/Internet Protocol and/or such other standard network connection protocols as may be adopted from time to time, which is used to transmit Content that is directly or indirectly delivered for display to an end user whether such Content is delivered for display to an end user through on-line browsers, off-line browsers or through push technology, electronic mail, broadband distribution, satellite wireless or otherwise; | |
Mark | means trade marks, trade names, service marks, logos, symbols, brand names and other proprietary indicia or any combination thereof; | |
Maxis Group | means any holding, related or subsidiary companies (as defined in Section 5 of the Companies Act, 1965) of Maxis; | |
Maxis Properties | means any Maxis branded co-branded media properties developed in whole or in part and distributed or made available by Maxis or by any companies within the Maxis Group over the Internet or any devices including but not limited to Internet enabled devices and/or wireless devices; and | |
Security Compliance Requirements | means the security compliance requirements set out in Appendix 5 to this Agreement; | |
Service | means the service provided by Maxis in making the Content available to the Subscribers via any mode of transmission; |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
Subscribers | means any subscriber of Maxis mobile telecommunications network who accesses and uses the Service; and | |
Users | includes any subscriber, visitor, user to and/or viewer of the Maxis Properties. |
1.2 | Headings in this Agreement are for reference only and shall not affect the construction of any provision. |
1.3 | Words importing the singular shall also include the plural and vice-versa where the context so requires. References to a person shall be construed as including references to an individual, firm, company, corporation, unincorporated body of persons or any State or agency thereof. |
1.4 | In this Agreement, unless the context otherwise requires, references to day or days shall mean a twenty-four (24) hour period as in a calendar day. Reference to a time and date concerning the performance of any obligation by a party is reference to the time and date in Malaysia. References to Clauses and Appendices are references to the Clauses of, and the Appendices to, this Agreement. References to any statute shall be construed as references to that statute as from time to time amended or re-enacted. |
1.5 | No rule of construction shall apply to the detriment of any Party by reason of that Party having control of and/or was responsible for the preparation of this Agreement. |
1.6 | Any express statement of a right of a Party under this Agreement is without prejudice to any other right of that Party expressly stated in this Agreement or arising at law. |
1.7 | A reference to any of the words include, includes and including is read as if followed by the words without limitation. |
1.8 | Business Day for purposes of this Agreement is a day other than Saturday, Sunday or public holiday in Malaysia. |
2. | GRANT OF LICENCE |
2.1 | Subject to the terms in this Agreement the Content Provider hereby grants to Maxis a non-exclusive licence and the right to: |
2.1.1 | use and display in any format, the Content and the Content Providers name and Marks: |
(a) | in connection with the Maxis Properties; |
(b) | to credit the Content Provider as the provider of the Content; |
(c) | in connection with the marketing and promotion of the Maxis Properties; |
(d) | in any advertisement provided by Maxis to the Content Provider on the Maxis Properties, and |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
2.1.2 | distribute the Content to the Subscribers and permit the Subscribers to view, use and/or download to the Subscribers wireless communication device for personal use regardless of whether the Subscribers are within Malaysia or otherwise. |
2.2 | For the avoidance of doubt, and notwithstanding Clause 14.6, the companies in the Maxis Group, which provide communications services via any devices including Internet enabled devices and/or wireless devices, shall have all the rights set forth in this Clause 2.1. The said companies may re-format the Content in order to display the Content on the Maxis Properties. |
2.3 | During the first 6 months of the term hereof Content Provider shall not work directly with other carriers in Malaysia. |
3. | RESPONSIBILITIES OF THE CONTENT PROVIDER |
3.1 | The Content Provider shall: |
3.1.1 | provide the Content specified in Appendix 1 which shall be displayed on the Maxis Properties; |
3.1.2 | provide Maxis with the requisite data, technical specifications of the Content to enable Maxis to utilise or develop a suitable interface to display the Content from the Content Provider; |
3.1.3 | ensure the Content specifications are complete, accurate and up to date and that Maxis is duly notified in advance and provided with a list of intended changes to the said specifications which may affect the said interface or the ability of Maxis to deliver and/or display the Content; |
3.1.4 | develop, maintain and regularly update the Content in order to keep the same current, relevant and useful to the Users; |
3.1.5 | provide Maxis with the Content Providers Marks to be used solely on the Maxis Properties and in any print, electronic or other publications related to the Maxis Properties; |
3.1.6 | provide on-going assistance to Maxis in relation to technical, administrative and service oriented issues relating to the use, transmission and maintenance of the Content, as Maxis may reasonably request; and |
3.1.7 | maintain all necessary communications facilities to perform its obligations under this Agreement. |
4. | RESPONSIBILITIES OF MAXIS |
4.1 | Maxis shall be responsible for the design, layout, posting and maintenance of the Maxis Properties for the provision of the Service. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
4.2 | Maxis shall pay the Content Providers transaction share specified in Appendix 3 to the Content Provider for the Content which has been provided to the Subscriber in accordance with this Agreement and meets the standards referred to in Clause 5 and the specifications stated in Appendices 1 and 2. |
5. | CONTENT |
5.1 | The Content Provider shall deliver the Content in accordance with Appendix 2. The Content Provider shall provide Maxis with reasonable prior notice of any significant enhancements that generally affect the appearance, updating, delivery or other elements of the Content. |
5.2 | The Content Provider undertakes that the Content provided pursuant to this Agreement shall not: |
5.2.1 | contain elements which render the said Content or any part thereof unlawful, threatening, offensive, annoying, malicious, harmful, obscene, pornographic, profane, misleading, defamatory, abusive, socially or politically sensitive, unethical, morally, religiously or racially offensive, unlawful or otherwise prohibited for distribution, inter alia, in Malaysia; or |
5.2.2 | contain other material that could give rise to any civil or criminal liability under the applicable law. |
5.3 | The Content Provider acknowledges that it is hereby advised that the provision of Content which is indecent, obscene, false, menacing, morally, religiously or racially offensive, against public interest, public order or national harmony or offensive in character with intent to annoy, abuse, threaten or harass any person or that is seditious is an offence under the laws of Malaysia. |
5.4 | In performing its obligations under this Agreement, the Content Provider shall comply with all applicable laws (including the CMA), ordinances, codes (including the General Consumer Code and the Content Code), rules, regulations, notices, instructions or directives of the relevant authorities or with any notices, instructions, guidelines or directives given by Maxis from time to time. Such applicable laws, codes or regulations shall include those relating to, subversive, defamatory, obscene or pornographic materials, breach of copyright, patent or other proprietary rights or any which in the reasonable opinion of Maxis may adversely affect the use of the Maxis Services by other clients of Maxis or the efficiency of the Service or the use of the Service as a whole. |
5.5 | The Content Provider shall ensure that the Content is only provided to Subscribers who opt-in for the Content, that is to those who initiate the purchase or subscription of the Content, and shall ensure that such Content or subscription service shall not include any unsolicited or annoying messages, service, content, information or spam which the Subscriber did not specifically request. The Content Provider shall also ensure that the Subscribers are provided with obvious and clear means of opting out of receiving such Content or any promotional or marketing messaging if they do not wish to receive such messages, |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
5.6 | The Content Provider shall ensure that the Content provided pursuant to Appendix 1 is at all times; |
5.6.1 | accurate, up-to-date, current, complete, coherent and is not under any circumstance repeated; |
5.6.2 | written or presented in a clear, attractive and highly readable style; |
5.6.3 | written in the English language or such other language as may be specified by Maxis in Appendix 1; and |
5.6.4 | grammatically correct and free of any spelling errors. |
The Content Provider shall additionally use all reasonable endeavours to ensure that the Content provided conforms to the description and availability criteria set out in Appendix 4 of this Agreement and to the reasonable standards and expectations of Maxis as may be notified from time to time. In the event that the Content provided fails to meet these quality standards, Maxis reserves the right to terminate this Agreement pursuant to Clause 10.2.3
5.7 | The Content Provider undertakes to fully compensate, in pecuniary and non-pecuniary terms, Maxis, its affiliated and or related companies for any loss of reputation, goodwill and/or business suffered by any of them as a result of being charged with and/or convicted of any offence(s) as a result of the providing of unlawful Content. |
5.8 | The Content Provider agrees to indemnify and hold harmless Maxis and the Maxis Group for any loss or damages arising out of any third party claim arising from Content provided contrary to Clause 5. |
6. | RIGHT TO REFUSE |
6.1 | Maxis reserves the right to review the Content from time to time. |
6.2 | If Maxis determines that the Content contains any material or the Content Provider presents any material in any manner that Maxis deems to have breached any of the terms and conditions of this Agreement or which is likely to subject Maxis to unfavourable regulatory action, contravene any law, or infringe the rights of any persons, or subject Maxis to liability for any reason, Maxis will inform Content Provider of the reason for such determination and: |
6.2.1 | Maxis may refuse to include the Content or any part thereof or any references to such Content on Maxis Properties; and/or |
6.2.2 | remove or delete the affected Content from the Maxis Properties; and/or |
6.2.3 | direct the Content Provider to immediately remove the affected Content from the Maxis Properties who shall remove the Content as so directed; and/or |
6.2.4 | require the Content Provider to take measures such as issuing an apology or explanation to the satisfaction of Maxis, depending on the circumstances. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
Such contravention or infringement shall include, materials or contents which cause annoyance, embarrassment, distress, harassment, disturbance or nuisance of any kind whatsoever; or which is not in the public interest; or contains obscene or offensive content or racially or ethnically objectionable material.
6.3 | If Maxis or any of the companies in the Maxis Group is notified of any Content or part thereof which is objectionable, (the offending Content) whether by a User or a relevant authority in Malaysia or elsewhere, Maxis or any of the companies in the Maxis Group will immediately notify the Content Provider who shall immediately remove the offending Content and if the Content Provider does not do so within 24 hours of being so informed, Maxis may remove or delete the offending Content from the Maxis Properties without any liability whatsoever to the Content Provider. |
6.4 | Notwithstanding anything to the contrary contained herein, Maxis may refrain from including the Content or any part thereof or any references to such Content on Maxis Properties until such time: |
6.4.1 | the Content Provider provides to Maxis satisfaction documentary proof of Content Providers rights to such Content as may be required by Maxis from time to time; or |
6.4.2 | Maxis determines that the user acceptance test conducted on the Content is successful and is capable of distribution to the Subscriber. In the event Maxis determines that the Content fails the user acceptance test and the Content Provider is unable to remedy the defect or problem within one (1) month from Maxis notification in writing, Maxis shall not be obliged to provide the Service in respect of the Content. |
7. | SECURITY |
7.1 | In the event the Content Provider engages in transactions which would require security and protection of any information or data given by User and/or Subscriber, the Content Provider shall employ such security measures which would safeguard the secrecy and confidentiality of such transaction including, by using encryption methods or a secure server, in accordance with such requirements as may be prescribed by the relevant authorities. |
7.2 | The Content Provider shall comply with (to the extent applicable), the Security Compliance Requirements throughout the term of this Agreement. |
7.3 | By the nature of the Service, the Content Provider may have access to Subscribers information. The use by the Content Provider of the Subscribers information outside the scope and purpose of this Agreement shall constitute a material breach of this Agreement and Maxis shall be entitled to terminate the Agreement immediately without any liability whatsoever without prejudice to the rights of Maxis against the Content Provider to any claim, action or remedy against the other which shall have accrued or shall accrue thereafter to Maxis. |
7.4 | The Content Provider shall at all times maintain the absolute privacy of the Subscribers and shall not disclose the Subscribers information to any other party in any manner and shall not contact the Subscribers for any reason or in any manner whatsoever. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
7.5 | For purposes of ensuring the Content Providers compliance of its terms and obligations under or in connection with this Agreement, Maxis reserves the right to audit at no additional cost to Maxis, amongst others, the Content and services provided by the Content Provider, the service delivery and the systems and business processes employed by the Content Provider. The Content Provider agrees to provide access to and co-operate with Maxis, at no additional cost to Maxis, in respect of any such audits conducted, including where the audits stem as a result of the authorities right to audit Maxis and its services. |
8. | WARRANTIES |
8.1 | The Content Provider warrants and represents for the benefit of Maxis that; |
8.1.1 | it is the author or creator or legitimate licensee of all Content provided pursuant to this Agreement with the necessary rights to distribute the Content which includes authorising Maxis to provide, promote and display the Content on the Maxis Properties to be distributed to the Subscribers; |
8.1.2 | the Content developed by the Content Provider or on its behalf or furnished by the Content Provider to Maxis (as the case may be) does not and will not infringe any Intellectual Property Rights of any third party and does not and will not constitute a defamation or invasion of the rights of privacy or publicity of any third party; |
8.1.3 | the Content does not violate the laws, statutes and/or regulations of any jurisdiction including Malaysia; |
8.1.4 | Maxis use of Content Providers Marks pursuant to this Agreement shall not infringe the Intellectual Property Rights of any third party; |
8.1.5 | the Content furnished by Content Provider to Maxis for the purpose of this Agreement are true, consistent and accurate at all times; |
8.1.6 | it has all the necessary consents, licences and approval(s) from the relevant authorities, bodies and/or organisations which supervise the Content and the distribution and display of the Content on the Maxis Properties; and |
8.1.7 | it is an entity duly organised and validly existing under the laws of the United States and has the power and capacity to execute, deliver and perform the terms of this Agreement and has taken or shall take all necessary corporate and other action to authorise the execution, delivery and performance of this Agreement. |
8.2 | The Content Provider acknowledges that Maxis has entered into this Agreement in reliance on the representations and warranties set out in this Clause. |
8.3 | Without prejudice to the provisions of the Clause 8.1 and 8.2 hereinabove, the Content Provider shall provide Maxis with the necessary documents evidencing the Content Providers rights to the Content as warranted hereinabove to the satisfaction of Maxis within seven (7) days from the date of receipt of Maxis written notice requesting for the same, failing which Maxis shall be entitled to: |
8.3.1 | exercise its rights under the provisions of Clause 6 herein; and/or |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
8.3.2 | terminate this Agreement without any liability whatsoever without prejudice to the rights of Maxis against the Content Provider to any claim, action or remedy against the other which shall have accrued or shall accrue thereafter to Maxis. |
9. | INDEMNITY |
9.1 | The Content Provider shall indemnify and hold Maxis and the Maxis Group harmless against any costs, claims, demands, expenses, losses and liabilities of whatsoever nature by any third party arising out of any breach or alleged breach of the Agreement including any of the provisions in Clause 8. |
9.2 | Maxis shall notify the Content Provider in writing of the claim or action for which such indemnity applies. Maxis shall be entitled at its option to undertake the defence of any such claim or action and permit the Content Provider to participate therein at the Content Providers own expense. |
10. | DURATION AND TERMINATION |
10.1 | This Agreement shall be valid for the period specified in Appendix 1 (Period) from the Effective Date (Initial Term) and may be extended automatically for further Periods thereafter unless terminated in accordance with the provisions of this Agreement. |
10.2 | Notwithstanding the provisions of Clause 10.1 hereinabove, this Agreement may be terminated immediately by: |
10.2.1 | an agreement in writing signed by both Parties; |
10.2.2 | either Party upon the expiry of thirty (30) days written notice of termination given by one Party to the other Party without any liability; |
10.2.3 | one Party if the other breaches any of its obligations under this Agreement and fails to rectify such breach to the notifying Partys satisfaction within such period stipulated in this Agreement or fourteen (14) days where no such period has been stipulated, after it receives a notice in writing demanding that the breach be rectified; |
10.2.4 | one Party if the other Party becomes insolvent or bankrupt, assigns all or a substantial part of its business or assets for the benefit of its creditor(s), permits the appointment of a receiver or a receiver and manager for its business or assets, or becomes subject to any legal proceedings relating to insolvency, reorganisation or the protection of creditors rights or otherwise ceases to conduct business in the normal course. |
10.3 | Where this Agreement is terminated pursuant to this Agreement: |
10.3.1 | Maxis and the Content Provider shall cease the use of each others Content or Service as the case may be; |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
10.3.2 | all documents containing Confidential Information and copies shall be returned to the respective Parties as soon as practicable; |
10.3.3 | neither Maxis nor Content Provider shall in any way exhibit any links or display any information that would lead a User and Subscriber to believe that Maxis and the Content Provider are linked or related in any manner; |
10.3.4 | no Intellectual Property Rights owned by one Party may at any time thereafter be used by the other Party for any purpose whatsoever. |
10.4 | Termination of this Agreement shall be without prejudice to any other rights, remedies or claims either Party may have against each other under this Agreement or at law in respect of any antecedent breach by the Parties of any provisions of this Agreement. |
11. | FORCE MAJEURE |
11.1 | Neither Party shall be liable for any delay or failure to perform its obligations if such failure or delay is due to Force Majeure. |
11.2 | The Party affected by Force Majeure shall notify the other Party in writing as soon as practicable of any anticipated delay due to Force Majeure. The performance of the affected Partys obligations under this Agreement shall be suspended for the period of the delay due to Force Majeure. |
12. | CONFIDENTIALITY |
12.1 | Parties acknowledge and agree that all Confidential Information disclosed by or on behalf of the Party disclosing such information (Disclosing Party) shall be and remain the property of the Disclosing Party. Nothing in this Agreement shall be construed and granting or conferring any license or any rights whatsoever (including any intellectual property rights) whether expressly, impliedly or otherwise if respect of the Disclosing Partys Confidential Information to the Party receiving it (Receiving Party). |
12.2 | Tangible forms of Confidential Information shall not be copied, in whole or in part, without the prior written consent of the Disclosing Party, except for a reasonable number of copies necessary to carry out the transaction contemplated by or pursuant to this Agreement. |
12.3 | No license, whether express or implied, in the Confidential Information is granted by either Party to the other to use the Confidential Information other than in the manner and to the extent authorised by this Agreement. |
12.4 | The Receiving Party understands and agrees that it is not allowed to sell, develop or otherwise exploit any parts, products, services, documents or information which embody in whole or in part any Confidential Information, except as contemplated by this Agreement. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
12.5 | Each Party agrees and undertakes with each other to protect the Confidential Information of the other Party using not less than the standard of care with which it treats its own Confidential Information but in no event less than reasonable care and shall ensure that the Confidential Information of the other Party is stored and handled in a way to prevent unauthorised disclosure. |
12.6 | Each Party shall use its best efforts to limit dissemination of the Confidential Information to its employees, consultants, officers, agents or sub-contractors and its holding or related companies employees (collectively called Personnel) to whom disclosure is necessary for each of them to perform his duties under this Agreement. Each Party shall impose the above obligation of confidentiality on their Personnel. |
12.7 | The foregoing obligations shall not apply, however, to any part of the Confidential Information which: |
(a) | was already in the public domain or becomes so through no fault of the Receiving Party; |
(b) | is independently developed by the Receiving Party; |
(c) | is approved for release by prior written authorisation by the Party disclosing the Confidential Information; or |
(d) | is required by law to be disclosed. |
12.8 | Subject to Clause 12.3, these obligations of confidentiality shall survive the expiration or termination of this Agreement without limitation of time. |
12.9 | Each Party further agrees to forthwith return to the other Party and/or destroy all documents and any materials received in connection with the Agreement containing any of the Confidential Information of the other Party: |
(a) | upon termination of this Agreement for whatever cause; or |
(b) | upon request of and at the direction of the Disclosing Party. |
12.10 | Both Parties acknowledge that they are aware and fully understand that in the event of any breach of this provision by the Receiving Party or their personnel, then the Disclosing Party could suffer substantial loss and damage which monetary damages cannot adequately compensate and the Disclosing Party shall be entitled to specific performance, injunctive and other equitable relief in enforcing the obligations of this provision in addition to all other remedies available in law. |
12.11 | The Content Provider acknowledges that Maxis may obtain financing in connection with this Agreement and the Content Provider hereby consents to Maxis disclosing to the financiers this Agreement as well as any related documentation (as required by the financiers). |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
13 | NEW CONTENT |
13.1 | The Parties may from time to time, agree to add further Appendices to this Agreement to reflect any new Content (New Content) to be provided by the Content Provider after the Effective Date whereupon the Parties shall: |
13.1.1 | add a new Appendix 1 to provide for the type of New Content and the period during which the New Content will be provided. The new Appendix 1 shall be called Appendix 1A, and thereafter Appendix 1B, 1C and so on depending on the number of additional Appendices relating to New Content; |
13.1.2 | add a new Appendix 2 to provide for the technical specifications and the manner in which the New Content will be delivered. The new Appendix 2A shall correspond to Appendix 1A, Appendix 2B to 1B and so on; and |
13.1.3 | add a new Appendix 3 to provide for the Fees payable for the New Content. The new Appendix 3A shall correspond to Appendices 1A and 2A, Appendix 3B to Appendices 1B and 2B and so on. |
13.1.4 | add a new Appendix 4 to provide for the Service Level Standards in respect of the New Content. The new Appendix 4A shall correspond to Appendices 1A, 2A and 3A, Appendix 4B to Appendices 3B, 2B and 1B and so on. |
13.2 | The Parties shall add Appendices for New Content by signing the form attached as Schedule I. |
13.3 | For the purposes of this Agreement: |
13.3.1 | any reference to Appendix 1 shall include Appendix 1A, 1B and any other Appendices 1; |
13.3.2 | any reference to Appendix 2 shall include Appendix 2A, 2B and any other Appendices 2; and |
13.3.3 | any reference to Appendix 3 shall include Appendix 3A, 3B and any other Appendices 3; |
13.3.4 | any reference to Appendix 4 shall include Appendix 4A, 4B and any other Appendices 4; |
which have been added to this Agreement in accordance with this Clause from the date of such addition.
13.4 | The Content Provider is only required to provide a particular type of Content as specified in a particular Appendix 1 for the duration specified in such Appendix 1. |
14. | GENERAL |
14.1 | The Parties acknowledge and agree that each is an independent business entity and as such, neither Party may represent itself as an employee, agent or representative of the other, nor may it incur any obligations on behalf of the other Party which are not specifically authorised in this Agreement. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
14.2 | If any provision of this Agreement is held invalid, unenforceable or illegal for any reason, this Agreement shall remain in full force apart from such provision which shall be deemed deleted. |
14.3 | This Agreement shall be governed by and construed according to the laws of Malaysia. The Parties hereby submit to the exclusive jurisdiction of the courts of Malaysia. |
14.4 | Notices under this Agreement may be delivered by hand, by registered mail, by telex or by facsimile to the following addresses: |
To Maxis:
Attention: Head, Mobile Data Products
Level 10, Menara Maxis, Kuala Lumpur City Centre,
Off Jalan Ampang,
50088 Kuala Lumpur
Tel : 603 2330 7000
Fax: 603 2330 0327
Copy to:
Attention: General Counsel, Legal Department
Level 19, Menara Maxis, Kuala Lumpur City Centre,
Off Jalan Ampang,
50088 Kuala Lumpur
Tel : 603 2330 7000
Fax : 603 2330 0576
The notification details of the Content Provider are specified in Appendix 1.
14.5 | Notice shall be deemed given: |
14.5.1 | in the case of hand delivery or registered mail, upon written acknowledgement of receipt by an officer or other duly authorised employee, agent or representative of the receiving Party; |
14.5.2 | in the case of facsimile, upon completion of transmission. |
14.6 | Neither Party shall assign, subcontract or otherwise transfer any of its rights or obligations under this Agreement to any other person without the prior written consent of the other Party (which consent shall not be unreasonably withheld). Notwithstanding anything to the contrary contained herein Maxis may assign subcontract or transfer its rights and obligations to a related company of Maxis. |
For the avoidance of doubt, Maxis use of its authorised dealers to promote the sale of the Content shall not constitute an assignment, subcontract or transfer for the purpose of this clause.
14.7 | No right under this Agreement shall be deemed to be waived except by notice in writing signed by both Parties. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
14.8 | Time, wherever mentioned, shall be of the essence in this Agreement. |
14.9 | The stamp duty for this Agreement shall be borne by Maxis. |
14.10 | Each Party shall bear its own legal costs in relation to the preparation of this Agreement. |
14.11 | In the event of any inconsistency between any clause or term in the body of this Agreement and the Appendices, the said clause or term in this Agreement shall prevail. |
14.12 | Those clauses which by their nature would survive the termination of this Agreement shall so survive. |
14.13 | This Agreement including the Appendices constitutes the entire agreement between the Parties relating to the subject matter hereof and supersedes all prior arrangements, agreements, representations or undertakings. There are no promises, terms, conditions, or obligations, oral or written expressed or implied other than those contained in this Agreement. Any subsequent alteration, amendment or addition to this Agreement shall be in writing and signed by the authorised representatives of the Parties. |
(the remainder part of this page is intentionally left blank)
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
THE PARTIES have through their authorised representatives signed this Agreement on the day first mentioned above.
Signed for and on behalf of Maxis Mobile Services Sdn Bhd | Signed for and on behalf of [Content Provider] | |||||||||||
By: | By: | |||||||||||
/s/ Kugan Thirunavakarasu | /s/ Steven Glanz | |||||||||||
Name: | Kugan Thirunavakarasu | Name: | Steven Glanz | |||||||||
Designation: | Head of Product Development | |||||||||||
and Infotainment | Designation: SVP Business Development | |||||||||||
Date: | Date: June 3, 2009 | |||||||||||
In the presence of; | ||||||||||||
/s/ Kee Saik Meng | /s/ David Corre | |||||||||||
Name: | Kee Saik Meng | Name: | David Corre | |||||||||
Designation: | Head of Games and Entertainment | Designation: VP Finance | ||||||||||
Date: August 4, 2009 | Date: June 3, 2009 |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
APPENDIX 1
(CONTENT)
Effective Date: September 01, 2009
Duration of Agreement: 12 months
The Content
The Content Provider shall provide: Maxis customers with access to a version of the Vringo video ringtone service (the Vringo Service) which shall include versions of the Vringo downloadable mobile application, the Vringo wap site and the Vringo web site. The Vringo Service shall include video ringtone content provided by Vringo (the Vringo Content) and content provided by Maxis (the Partner Content). Anything in the Agreement to the contrary notwithstanding, Maxis shall be responsible for all rights related issues regarding the Partner content and for making any required payments to the owners of said content.
Notification Particulars of the Content Provider
Content Provider:
Attention: Steven Glanz
85 5th Avenue, New York, NY 10003
Tel: +1646 ###-###-####
Fax: ###-###-####
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
APPENDIX 2
(DELIVERY AND TECHNICAL SPECIFICATIONS)
The Vringo Service shall be fully hosted by Vringo so Vringo will not have to deliver content to Maxis. Maxis shall deliver Partner Content to Vringo in accordance with a content spec to be provided by Vringo. Maxis will allow Vringo to integrate with Maxiss billing system so users can be billed and Maxis will allow Vringo to integrate with Maxiss SMSC
(the remainder part of this page is intentionally left blank)
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
APPENDIX 3
(FEES)
PRICING
1.
The Vringo Service will be offered as a monthly subscription service. Some content will be available for free but other Vringo Content and Partner Content will cost extra. The fees shall be shared as follows:
# | Product Description | Content Price (MYR) | Transaction Share (Maxis : Content Provider) | |||
Monthly subscription | 5 | *** | ||||
Purchase of Vringo Content | 4 | *** | ||||
Purchase of Partner Content | 4 | *** |
B. | INVOICING AND PAYMENT TERMS |
1. | Within thirty (30) days from the first day of each calendar month, Maxis shall provide the Content Provider with a report showing the amount of revenue billed for subscriptions and content purchases (Maxis Report). The Maxis Report will be uploaded by Maxis in the MCP portal at http://mcp.maxis.com.my, which can be downloaded by the Content Provider or it will be emailed to Content Provider. Computation of the payment to the Content Provider for the Content provided for any particular month shall be based solely on the Maxis Report and Vringos breakdown of what percent of the revenue for content purchase came from purchases of Vringo Content and what percent came from Partner Content |
2. | In the event of any dispute by the Content Provider regarding the Maxis Report, the Content Provider may within thirty (30) days from upload of the Maxis Report in the MCP portal by written notice, notify Maxis of the dispute failing which the Maxis Report shall be deemed final and conclusive as against the Content Provider. Upon receipt of the written notice, Parties shall investigate the variance and upon resolution of the same, the Content Provider can invoice Maxis for the difference, for which Maxis shall make the necessary payments (if any) to the Content Provider in the following month together with the payments due to the Content Provider for the transactions for the following month. |
3. | Where the Content Provider is a foreign company (i.e. without resident status), the Content Provider shall invoice Maxis each month for the Content Providers share of the fees for the previous month based on the Maxis Report. |
4. | Maxis shall pay all undisputed amounts within sixty (60) days from date of uploading of the Maxis Report in the MCP portal or receipt of the invoice from the Content Provider, whichever is applicable. |
5. | Maxis shall not be obliged to pay the Content Provider for unusual traffic caused by any access caused by fraudulent means. Fraudulent access in this regard shall include access not authorised by the Subscribers and/or Maxis, regardless of whether it was within the control of Maxis and/or the Subscribers. This shall include but not limited to hacking and spamming. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
6. | Maxis shall not be liable to make any payments apart from the Content Providers revenue share based on the Maxis Report or such other amounts as may be determined upon resolution of any dispute to it. Any other terms stated in the Content Providers invoice contrary to the provisions contained herein shall be null and void. |
7. | Invoicing and payment currency |
7.1 | Content Provider with resident status |
(a) | All invoices shall be issued in and payment made in Ringgit Malaysia (RM). |
7.2 | Content Provider without resident status |
(a) | All invoices shall be issued in and payment made in United States Dollars (USD). |
(b) | The invoice shall depict both the RM sum (as per the Maxis Report) as well as the USD equivalent sum, converted at the applicable market rate of exchange which shall be the average of the buying and selling rates quoted by Malayan Banking Berhad (Maybank) for the last five (5) Business Days of the month for which the invoice is issued (i.e. invoicing month as per the Maxis Report). |
8. | Maxis shall settle all payments to the Content Provider by directly transferring money to Content Providers pre-determined bank account based on the details as provided below: |
Beneficiarys Bank Name | Silicon Valley Bank | |
Beneficiarys Bank Address | 3003 Tasman Drive Santa Clara, CA 95054 | |
Beneficiarys Name | Vringo, Inc. | |
Beneficiarys Bank Account No | *** | |
Swift Code /Sort Code/ IBAN No (whichever applicable) | *** |
9. | For the purpose of this Agreement, the Fees specified above shall be inclusive of all taxes and duties payable in respect of the Content. |
10. | Parties shall be individually responsible to settle its respective taxes that may be due on its respective revenue share. Maxis may however withhold and pay any portion of the Content Providers portion of the revenue share due to the Content Provider in compliance with the requirements of the Malaysian Inland Revenue Board or such other laws as may be in force from time to time, and receipts from the Malaysian Inland Revenue Board or such other authorities will be provided by Maxis to the Content Provider upon request. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
11. | In addition, if any goods and services tax (GST) is imposed on any goods or services supplied under this Agreement by the relevant Malaysian authorities, Maxis shall pay for the appropriate GST under each invoice in the event that the Content Provider has complied with the following: |
11.1 | the Content Provider is duly licensed by the relevant Malaysian authorities to collect such GST; |
11.2 | the appropriate GST for each invoice is included under the relevant invoice at the time of the issuance of the invoice; and |
11.3 | all invoices provided by the Content Provider to Maxis comply with the relevant GST law enforced by the Malaysian authorities. |
The Content Provider hereby agrees that no GST amount shall be due and payable by Maxis unless the Content Provider has complied with the provisions of this Clause. The parties agree to use reasonable efforts to do everything required by the relevant GST law to enable or assist the other party to claim or verify any input tax credit, set off, rebate or refund in respect of any GST paid or payable in connection with goods or services supplied under this Agreement.
(the remainder part of this page is intentionally left blank)
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
APPENDIX 4
(SERVICE LEVEL STANDARDS)
SERVICE LEVEL
SERVICE AVAILABILITY
Service | Availability | Target | |||
95 | % | ||||
95 | % |
The Service Availability of the Content Provider and Maxis will be measured over a calendar month during each contents specified playing time or interval. It is calculated as follows:
A = (TSUT TUDT) / TSUT
A | = | Service Availability (%) | ||
TSUT | = | Total Service Up Time (Hr) | ||
TUDT | = | Total Unplanned Down Time (Hr) |
Note that Service Availability of Content Provider and Maxis respectively does not reflect the Service Availability of the content in totality due to the mechanism of message exchange over the public Internet.
FAULT MANAGEMENT
Stage \ Priority | P1 | P2 | P3 | P4 | ||||
Fault Reception / Initial Investigation | Within 15 minutes | Within 15 minutes | 4 working hours | 8 working hours | ||||
Service Restoration | 4 hours | 8 hours | 16 working hours | 5 working days | ||||
Fault Resolution | 2 days | 5 days | Next scheduled release | Agreed scheduled release |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
FAULT PRIORITY LEVELS
Fault Priority Levels | Definition | |
P1 | Whole of or a critical part of the system(s) unusable, causing immediate and significant business impact.
A large number of users are not able to access the system. The access required is deemed urgent and demands immediate attention, or the system is business critical.
Examples include (but are not limited to) failure of the Content Provider platform. | |
P2 | A significant, but not immediately critical, part of the system(s) unusable, creating some business impact.
Some users are unable to access offerings of the service where no alternative methods of access are available.
EXAMPLES INCLUDE (BUT ARE NOT LIMITED TO) ALL USERS CANNOT ACCESS PARTS OF THE SERVICE. | |
P3 | Disruption of a single element of the service(s). One or more users are unable to access the system. Alternative access or workarounds are available. | |
P4 | Non-urgent or cosmetic problem, causing inconvenience only. Workaround are available. A request for information or query. |
Status will be reported at a minimum every thirty minutes to the appointed representative.
A 5% penalty will be imposed on the revenue of each content, if the above service level standards are not met.
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
ESCALATION PROCESS
If Maxis discovers the unavailability of Content Providers Service:
Level | Escalation | Maxis Response | Content Providers Response | |||
1 | Fault Reception | 1. Report fault to Content Provider. 2. Log down date and time. 3. Assist investigation of fault. | 1. Confirm receipt of fault report from Maxis. 2. Log down date and time. 3. Begin investigation into fault. | |||
2 | Service Restoration | 1. Confirm successful restoration of service from Content Provider. 2. Log down date and time. | 1. Report successful restoration of service to Maxis. 2. Log down date and time. | |||
3 | Fault Resolution | 1. Accept successful resolution of fault from Content Provider 2. Log down date and time. | 1. Report successful resolution of fault to Maxis. 2. Log down date and time. |
If Content Provider discovers the unavailability of Maxis Service:
Level | Escalation | Content Providers Response | Maxis Response | |||
1 | Fault Reception | 1. Report fault to Maxis 2. Log down date and time. 3. Assist investigation of fault. | 1. Confirm receipt of fault report from Content Provider. 2. Log down date and time. 3. Begin investigation into fault. | |||
2 | Service Restoration | 1. Confirm successful restoration of service from Maxis. 2. Log down date and time. | 1. Report successful restoration of service to Content Provider. 2. Log down date and time. | |||
3 | Fault Resolution | 1. Accept successful resolution of fault from Maxis. 2. Log down date and time. | 1. Report successful resolution of fault to Content Provider. 2. Log down date and time. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
POINTS CONTACT
Content Provider Escalation Points | ||||||
Escalation | Business Development | Technical Development | Product Manager | |||
First Escalation Level | Name Tel: +603- Cel: +6012- Fax: +603- Email: | Name Tel: +603- Cel: +6012- Fax: +603- Email: | Name Tel: +603- Cel: +6012- Fax: +603- Email: | |||
MAXIS Escalation Points | ||||||
Escalation Level | Business Development | Technical Development | Product Manager | |||
First Escalation Level | Name Tel: +603- Cel: +6012- Fax: +603- Email: | Name Tel: +603- Cel: +6012- Fax: +603- Email: | Name Tel: +603- Cel: +6012- Fax: +603- Email: |
(the remainder part of this page is intentionally left blank)
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
APPENDIX 5
(SECURITY COMPLIANCE REQUIREMENTS)
Security Compliance Requirements | Remarks (if any) | |||
Requirements | ||||
A | Border Control to protect information related to Maxis. | |||
a.1 | Managed border control devices (Firewalls, Routers, IPSes, etc.) which are designed to protect the Maxis related infrastructure and data from unauthorized access and abuse. | |||
a.1.1 | Access to these border control devices should be limited those with a need and logged to provide traceability of work done. | |||
a.1.2 | The network traffic and access control rules applied to such devices should be reviewed regularly to ensure the services rendered are secure. | |||
a.1.3 | Network and Systems design documents detailing the storage, access, transport, protection of Maxis related data should be kept current to enable audits. | |||
B | Access to Systems and Applications. | |||
b.1 | Public accessibility of the system component should be prohibited from all vectors of access (eg: wired and wireless). | |||
b.2 | Data repositories containing Maxis confidential data (Database, files, etc) should be placed in a securely protected internal network segment. | |||
b.3 | Access to such data should be limited to only to authorized users under the control of the Service Provider and authorized to work on the contract. | |||
b.4 | The authorized user list should be validated periodically to ensure the list is current. | |||
b.5 | Remote access to such data should be strictly controlled and monitored to ensure network connectivity is made over encrypted secure channels and authentication performed to validate the authorized users. | |||
C | System and Application configuration | |||
Ensure the Systems and Applications used to service Maxis are safe, secure and managed to provide optimal service. | ||||
c.1 | Systems hosting services for Maxis should be configured to perform safely, securely and provide availability to the defined SLAs. | |||
c.2 | Place logical and physical separation on systems used for delivering the services of Maxis from others. If a shared hosting model is used, protect the Maxis related services to ensure separation of the data and access. | |||
c.3 | Disable unnecessary and insecure services and protocols. | |||
c.4 | Configure the systems to prevent misuse. | |||
c.5 | Encrypt all non-console administrative access using industry standards. (eg: SSH, VPN, SSL/TLS.) | |||
c.6 | Ensure logging and audit trails are enabled to identify access to Maxis related systems and service platforms. | |||
c.7 | Enable processes to provide timely forensic investigation in the event of compromise of any hosted system relating to Maxis. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
D | Protect Maxis Confidential Data. | |||
Keep Maxis Confidential data secure, develop a data retention and disposal policy, and limit the storage and retention to a limit that is required for business, legal and/or regulatory purpose. | ||||
d.1 | Do not store authentication data in any readable format even if encrypted. | |||
d.2 | Keep Personally Identifiable Information (PII)* protected from casual access at all times. | |||
d.3 | Use strong encryption to protect PII related to Maxis services. | |||
d.4 | Manage access to confidential data centrally and reduce the number of repositories that hold such data. | |||
d.5 | Do not allow confidential data to be copied to removable media unencrypted by keys available to the service provider. | |||
d.6 | Protect the keys used to encrypt Maxis confidential information against disclosure and misuse. | |||
d.7 | Document and enforce all key-management processes and procedures and avoid single points of failure in the key management scheme. | |||
d.8 | Keep confidential data separate from the access and authentication keys used to access the data. And ensure both are securely protected. | |||
d.9 | Use strong cryptography and security protocols when providing access to PII over open public networks. | |||
d.10 | Never allow the transmission of access control information (usernames & passcodes) over an unencrypted channel. | |||
E | Malware protection. | |||
Maxis related infrastructure should be protected from malware at all times. | ||||
e.1 | Ensure all systems related to the Maxis Service delivery are protected by Malware prevention systems and are kept updated and active at all times. | |||
F | Patch Management and Application Security. | |||
Systems become vulnerable as software becomes obsolete or new exploits are discovered. Proper patch management and vulnerability assessment mitigates this risk. | ||||
f.1 | Ensure all system components have the latest vendor supplied patches | |||
f.2 | Ensure usage of Maxis related services are done using software applications which have been secured using industry best practices. | |||
f.2.1 | Testing security patches prior to release. | |||
f.2.2 | Validation of Input to prevent or safely recover from malicious content. | |||
f.2.3 | Implementing secure communications. | |||
f.3 | Separate development/test and live systems. | |||
f.3.1 | Not using live PII in tests. | |||
f.3.2 | Ensuring no test or preproduction data and scripts exist in live systems environments. | |||
f.3.3 | Proper and documented code review process to remove vulnerabilities prior to release to the live environment. | |||
f.3.4 | Documented change review process. | |||
f.3.5 | If web development is done, it should be based on secure coding guidelines (like OwASP) to prevent common coding vulnerabilities. | |||
f.3.6 | For public facing web application ensure ongoing application vulnerability assessment and use of web-application firewall. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
G | Restrict access to PII | |||
Handling and access to Personally Identifiable Information can result in leakage of confidentialty which affects Maxis and its reputation. Limiting access to this information is the one step in mitigating this risk. | ||||
g.1 | Practice principle of least privilege - provide privileged access to as few features as necessary to perform their job function. | |||
g.2 | Provide privileged access to as few people as necessary to perform their job duties for Service Delivery. | |||
g.3 | Collect and monitor and periodically audit use of privileged access. | |||
g.4 | Access to sensitive and PII information should be denied to all and selectively allowed based on right to know. | |||
H | User IDs and traceability of user access. | |||
Users access to systems and applications that deal with PII should be kept to a minimum. However, where access is allowed it must be traceable back to an individual to account for the access. | ||||
h.1 | Uses shall be given unique IDs and sharing of IDs or group IDs should be strictly prohibited. | |||
h.2 | Use of multifactor authentication apart from passcodes where the information is confidential or where access is gained remotely. | |||
h.3 | Render all tokens unreadable between the end points of the system and client devices during the authentication process by using strong cryptography. | |||
h.4 | Have proper ID management process to ensure access is granted to valid individuals and passcodes are changed regularly. | |||
h.5 | Regularly cleanup IDs of terminated users and disable access of inactive users. | |||
h.6 | Restrict access to systems by vendors for the period of activity only and based on documented change management request. | |||
h.7 | Ensure that passwords meet the best practices for complexity, size, validity and non predictability. | |||
h.8 | Password failures after an acceptable number of times should lock out the account to prevent any further attempts to login. | |||
I | Physical access to systems and data. | |||
Most controls are place on remotely accessing systems and networks, however, if physical access to the system is not controlled then the hardware containing confidential systems may be removed together with the data in it. | ||||
i.1 | Use appropriate facility entry controls to limit and monitor physical access to systems holding or carrying Maxis Information. | |||
i.2 | Use video cameras or other access control mechanisms to monitor individual physical access to sensitive areas* and review the collected data against other entries (like work order requests, change requests etc.) regularly for intrusion. | |||
i.3 | Restrict access to private network* (wired and wireless) at public or common areas like meeting rooms or lobbies. | |||
i.4 | Provide identification (eg Badges) for authorized personnel to differentiate them from outsiders and enforce the use of such identification. | |||
i.5 | Ensure proper handling of visitors by requiring identification, authorization, badging, and auditable logging of all entry and exit to areas hosting or serving Maxis infrastructure and services. Retain logs for a period of at least 3 months. | |||
J | Handing of Media and Data. | |||
Media storage does not always reside on the harddisk of systems or in backup tapes, it also transits networks or is copied to alternate media for efficient service delivery. Ensure these vectors of access to media is properly handled for security and privacy. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
j.1 | Store backup media in a secure location, preferably an secure off-site facility and review the security of the site and the media transfer process at least annually. | |||
j.2 | Physically secure all paper and electronic media that contain PII data (eg: Bills, Statements, Customer lists etc.) | |||
j.3 | Maintain strict control over the internal and external distribution of any kind of media that contains PII data. Identify it as confidential and transfer it by secured courier or other methods that ensure the privacy and traceability of the transfer. | |||
j.4 | Maintain strict control over the storage and accessibility of the PII Media. Ensure inventory logs of all media is maintained and checked regularly. | |||
j.5 | Destroy media containing PII information when it is no longer needed for business, regulatory or administrative use; or as described in the terms of use. | |||
K | Track and Monitor all access network resources and PII. | |||
Logging mechanisms and the ability to track user activities are critical in preventing, detecting or minimizing the impact of data compromise. The existence of these logs allow the investigation of incidents and identifying improvements to networks. | ||||
k.1 | Ensure all network access to system components is tied to individual accounts which are not shared. | |||
k.2 | Implement automated audit trails for all system components to identify individual access, action taken with elevated privileges, use of identification and authentication tokens, invalid logical access attempts, changes in audit logs, creation and deletion of system-level objects. | |||
k.3 | Record at least the following information in the audit trail entries: user identification, date and time, type of event, success or failure of attempt, origin of event, identity or name of affected data, system or resource component. | |||
k.4 | Synchronize all critical systems clocks and times to approved NTP servers of at least level 2. | |||
k.5 | Secure audit logs so they cannot be altered and use file integrity monitoring tools to detect changes and issue alerts when such changes occur. | |||
k.6 | Limit access to audit trail logs to those with a need to know. | |||
k.7 | Keep audit logs in a central log server or media that is outside the control or access of administrators whose system components are being logged. | |||
k.8 | Keep audit logs of systems components on the external segments secured on internally hosted central log servers. | |||
k.9 | Review logs of all system components at least daily; the following systems should be included in such reviews: security control devices like firewalls, intrusion detection and/or prevention tools, AAA servers like RADIUS. | |||
k.10 | Keep audit trail logs for at least 1 year; consider keeping 3 months online and the rest offline if resource is a constraint. | |||
L | Regularly Test the security systems and processes | |||
Vulnerabilities to systems and networks can be revealed by checking the process and auditing the security controls regularly. Ensure this is done by an independent body to ensure impartial results. | ||||
l.1 | Test for access points not part of the design of the facility: eg: look for wireless access points, open network jacks that lead to the core network from common areas like public meeting rooms and lobbies. | |||
l.2 | Execute internal and external Vulnerability Assessment by qualified network security personnel at least quarterly or after any significant change in the network. | |||
l.3 | Perform internal and external Penetration Test at least once a year or after significant infrastructure and application upgrade. Ensure the tests include the network and application layers of the services provided. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
l.4 | Consider the use of Intrusion Detection or Prevention Systems (IDS/ IPS) to monitor all traffic to networks that handle PII data. And keep the IDS/IPS engines updated regularly. | |||
l.5 | Deploy automated file-integrity monitoring software to regularly alert personnel to unauthorized modification of critical system files, configuration files, or content files. | |||
M | Information Security Policies and Acceptable Use. | |||
A strong security policy sets the tone for the company on the importance of security and what is expected of them. The policy should be made mandatory for any one coming into contact with the systems and networks handling sensitive material to be compliant and enforced by the management. | ||||
m.1 | Establish, publish, maintain and disseminate a security policy that accomplishes the following: addresses data classification, privacy, and confidentiality, includes annual threat analysis, and verification of security controls. | |||
m.2 | Develop and enforce operational security procedures which are consistent with the requirements of the policy. (eg: account management, log audits, etc.) | |||
m.3 | Develop and enforce an acceptable use policy for use of the companys infrastructure in a manner that promotes the approved use of infrastructure and end point devices which maintain the security and availability of services. | |||
m.3.i | Explicit management approval of systems and network access technology used. | |||
m.3.ii | Authentication for use of infrastructure and systems. | |||
m.3.iii | Use of company approved products on the corporate infrastructure. | |||
m.3.iv | Approved remote access technology. | |||
m.3.v | Prohibit the copy or storage of PII on client side devices, removable and fixed media. | |||
m.4 | Ensure that the security policy and procedures clearly define information security responsibilities for all users of the systems and networks and have all users endorse their compliance annually. | |||
m.5 | Assign the task of managing information security responsibility to a qualified team. | |||
m.6 | Implement continuous and formal security awareness program and make all users aware of the importance of keeping PII data private and secure. | |||
m.7 | Screen employees with access to PII data and systems which hold such data to minimize risk of deliberate or malicious disclosure of such data. | |||
m.8 | Ensure any subcontractors of the Service Provider carry the same responsibility of compliance to the policies. | |||
m.9 | Maintain a written agreement that includes acknowledgement that the subcontractors are responsible for the security of PII held by them. | |||
m.10 | Implement an incident response plan and be prepared to respond immediately to a system breach. | |||
m.10.i | Ensure the plan covers: Roles, responsibilities, communication and contact strategies in the event of a compromise. | |||
m.10.ii | Has well defined procedures to follow. | |||
m.10.iii | Has Business recovery and continuity procedures. | |||
m.10.iv | Data Back up procedure. | |||
m.10.v | Process of disclosure to Maxis in the event of incident or compromise. | |||
m.10.vi | Coverage and response of all critical system components. | |||
m.11 | A validation and test of the Incident Response Plan at least annually. | |||
m.12 | Availability of key personnel on the Incident Response Team on a 24x7 window. | |||
m.13 | Appropriate training for security breach response responsibilities. | |||
m.14 | Include alerts from intrusion detection, intrusion prevention and file-integrity monitoring systems. | |||
m.15 | Have a plan to review and evolve the incident response plan according to the lessons learned and to incorporate industry changes. |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
Glossary.
Terms | Definition | |
Personally Identifiable Information (PII) | All personally identifiable information (PII) about customers or potential customers held in whatever form. Example of PII include name, date of birth, home mailing address, telephone number, MyKad number, travel document numbers, home e-mail address, zip code, account numbers, certificate/license numbers, vehicle identifiers (including license plates), uniform resource locators (URLs), Internet protocol addresses, biometric identifiers (e.g., fingerprints), voice recordings, photographic facial images, any unique identifying number or characteristic, and other information where it is reasonably foreseeable that the information will be linked with other personal identifiers of the individual. | |
Common OWASP vulnerabilities. | Examples of such vulnerabilities: | |
Cross Site Scripting (XSS), | ||
Injection flaws (eg: SQL, LDAP, Xpath etc) | ||
Malicious file execution. | ||
Insecure direct object reference | ||
Cross Site request forgery (CSRF) | ||
Information leakage and improper error handling. | ||
Broken Authentication and session management. | ||
Insecure cryptography | ||
insecure communication | ||
Failure to restrict URL access. | ||
Sensitive Areas | Sensitive Areas refers to any infrastructure (server, rooms, networks) that house systems that store, process or transmit PII and transactional data relating to the services offered by Maxis. | |
Private Network | The internal or core network segment that houses the host and services of Maxis (eg: Data Centers) as opposed to the general network segment offered to general users which does not overlap the private network. | |
Destroy Media. | Use the following means to destroy the data: | |
shred, incinerate or pulp hardcopy material | ||
Secure delete electronic media according to industry-accepted standards for deletion or otherwise physically destroy the media (eg: degaussing) |
CONFIDENTIAL TREATMENT REQUESTED
WITH RESPECT TO CERTAIN PORTIONS HEREOF
DENOTED WITH ***
SCHEDULE I
(FORMAT OF ADDING NEW APPENDICES)
We, as Parties to the Master Content Provider Agreement dated [specify date] (Agreement) hereby agree to the provision by the Content Provider in accordance with the terms and conditions of the Agreement of New Content as specified in the following additional Appendices:
(a) | Appendix 1 [specify whether A, B, C, etc.]; |
(b) | Appendix 2 [specify whether A, B, C, etc.]; |
(c) | Appendix 3 [specify whether A, B, C, etc.]; and |
(d) | Appendix 4 [specify whether A, B, C, etc.]. |
Signed for and on behalf of Maxis Mobile Services Sdn Bhd | Signed for and on behalf of [Content Provider] | |||
By: | By: | |||
Name: | Name: | |||
Designation: | Designation: | |||
Date: | Date: | |||
In the presence of; | ||||
Name: | Name: | |||
Designation: | Designation: | |||
Date: | Date: |