Last updated April 2025
BY SUBMITTING THE WARRANTY ENROLLMENT FORM ON THIS PAGE OR CLICKING A "SUBMIT", "CONTINUE", "I AGREE" OR A SIMILAR PHRASE, OR OTHER SIMILAR BUTTON ASSOCIATED WITH THIS AGREEMENT, YOU AND THE COMPANY OR ENTITY YOU ARE ACTING FOR ("CUSTOMER") AGREE TO THIS RAPID7 LIMITED BREACH PROTECTION WARRANTY AGREEMENT ("WARRANTY AGREEMENT") AND THE WARRANTY AGREEMENT WILL BE DEEMED A BINDING CONTRACT BETWEEN RAPID7 AND CUSTOMER. YOU EXPRESSLY REPRESENT AND WARRANT THAT: (1) YOU ARE LAWFULLY ABLE TO ENTER INTO THIS WARRANTY AGREEMENT, AND (2) THE COMPANY OR ENTITY THAT YOU ARE ACTING FOR HAS GIVEN YOU FULL AUTHORITY TO BIND THE COMPANY/ENTITY TO THIS WARRANTY AGREEMENT. IF YOU DO NOT AGREE TO OR CANNOT COMPLY WITH ALL OF THE TERMS AND CONDITIONS SET FORTH IN THIS WARRANTY AGREEMENT OR IF YOU DO NOT HAVE AUTHORITY TO BIND THE CUSTOMER, THEN DO NOT CLICK "SUBMIT", "CONTINUE", "AGREE" OR A SIMILAR PHRASE, AND CUSTOMER WILL NOT BE AUTHORIZED TO ENROLL IN RAPID7'S BREACH PROTECTION WARRANTY.
This Warranty Agreement is entered into as of the date that Customer accepts the terms and conditions herein ("Warranty Inception Date").
In consideration of the mutual covenants and agreements contained herein, and other good an valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
1. DEFINITIONS
"Affiliate" means any legal entity that controls, is controlled by, or that is under common control with a party. "Control" means ownership of more than 50% interest of voting securities in an entity or the power to direct the management and policies of an entity.
"Carrier" means the insurance carrier underwriting this warranty.
"Compliance Action" means (1) a request for information, civil investigative demand, administrative action or civil proceeding brought by a federal or state government entity or agency against Customer, or (2) an action brought by, or written demand from, a payment card association seeking an assessment, fee, fine or penalty for a violation of the PCI Data Security Standard.
"Covered Expenses" means solely (and to the exclusion of all other fees, expenses, losses, settlements and damages) the following reasonable and necessary fees and expenses to the extent incurred by Customer as a result of a Security Incident:
(1) Forensic Investigation Expenses;
(2) Legal Consultation Expenses;
(3) Post Security Incident Expenses; and
(4) Public Relations Expenses;
The foregoing fees and expenses constitute "Covered Expenses" only if: (1) incurred by Customer after having obtained prior written approval from Rapid7 to obtain such services or incur such expenditures; (2) invoiced by a third party provider that has been preapproved in writing by Rapid7; (3) incurred by Customer within one (1) year following the Discovery Date of the applicable Security Incident; and (4) payment and/or reimbursement does not violate any applicable domestic or foreign law, statute, regulation or rule as determined by Rapid7 in its sole discretion.
"Covered Endpoint" means any Customer Endpoint (i) that has the Rapid7 agent installed on it and (ii) with an operating system that (a) meets the pre-requisites and configuration requirements listed in the Documentation, and (b) is fully supported by the operating system manufacturer.
"Customer Agreement" means the agreement between Rapid7 and Customer governing Customer's Managed Threat Complete Ultimate subscription.
"Discovery Date" means the earlier of (1) the date Customer first discovers the Security Incident or (2) the date Rapid7 first discovers the Security Incident.
"Documentation" means the technical documentation of Managed Threat Complete Ultimate generally supplied by Rapid7 to its end-customers.
"Endpoint" means any physical or virtual device that is under ownership, operation or control of, or is leased by, Customer.
"Event Date" means the date the Security Incident or Pre-existing Incident first occurred; provided, however, that each Security Incident that forms part of a Related Security Incident shall be deemed to have the Event Date of the earliest Security Incident or Pre-existing Incident (if applicable) that forms part of the Related Security Incident.
"Managed Threat Complete Ultimate ("MTC Ultimate")" means Rapid7's managed subscription referred to as Managed Threat Complete Ultimate and as further described under https://www.rapid7.com/.
"Forensic Investigation Expenses" means fees and expenses of a vendor, approved by Rapid7, incurred by Customer to conduct an investigation (including a forensic investigation) to determine the cause and extent of a Security Incident.
"Legal Consultation Expenses" means fees and expenses of vendor, approved by Rapid7, incurred by Customer to obtain data security-related legal advice after a Security Incident, including, without limitation advice related to notification content and requirements. Legal Consultation Expenses do not include any fees or expenses incurred in connection with the response to or defense of any actual, anticipated or threatened suit, action, proceeding litigation or Compliance Action against the Customer.
"Measured Security Posture" means the configurations, settings, actions and remediations described in then-current Rapid7 documentation for MTC Ultimate.
"Personnel" means Customer's employees, vendors and contractors.
"Physical Event" means fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, an act of God, loss or theft of a physical Endpoint, or any other physical event, however caused.
"Post-Security Incident Expenses" means fees and expenses incurred by Customer, at the advice of a vendor approved by Rapid7, for (1) notifying individuals whose personally identifiable information may have been compromised by a Security Incident (including the cost of printing and mailing) and (2) identity theft call center assistance, identity restoration services, credit file or identity monitoring and/or victim expense reimbursement insurance made available to such notified individuals.
"Pre-existing Incident" means any unauthorized access to the operating system of an Endpoint that occurs either (1) before such Endpoint becomes a Covered Endpoint in the Protected Environment; or (2) before Customer's Warranty Period.
"Protected Environment" means the Covered Endpoint that are in the Measured Security Posture (or higher) and monitored by Rapid7's MTC Ultimate team.
"Public Relations Expenses" means fees and expenses incurred by Customer for a public relations firm, approved by Rapid7, to advise the Customer on minimizing the harm to Customer and restoring public confidence in Customer after a Security Incident.
"Related Security Incident" means, collectively, the same, continuous, related or repeated Pre-existing Incidents and/or Security Incidents.
"Security Incident" means unauthorized access by a Third Party to the operating system of a Covered Endpoint in the Protected Environment that results in the malicious exfiltration, destruction and/or irreversible encryption of Customer data that Customer reasonably believes has value in excess of $25,000. Notwithstanding the foregoing, unauthorized access arising out of or resulting directly or indirectly from any of the following events does not constitute a Security Incident: (a) Customer whitelisting a Covered Endpoint or process; (b) Customer or Personnel altering or instructing Rapid7 to alter configurations such that a Covered Endpoint falls below the Measured Security Posture; (c) Customer's or Personnel's failure to follow Rapid7's prevention or remediation instructions; (d) Customer's or Personnel's modification or alteration of MTC Ultimate; (e) any fraudulent, criminal or malicious act of Customer or its Personnel, or any intentional or knowing violation of the law by Customer or its Personnel; (f) any Physical Event; (g) any form of Unrest; and/or (h) the Third Party accessed the operating system of a Covered Endpoint in the Protected Environment from a portion of the Customer's network that is not part of the Protected Environment.
"Third Party" means any entity or person except Customer and Personnel.
"Unrest" means strike or similar labor action, war, invasion, military action (whether war is declared or not), civil war, mutiny, popular or military uprising, insurrection, rebellion, revolution, military or usurped power, or any action taken to hinder or defend against any of these events.
2. Scope
If Customer experiences a Security Incident in its Protected Environment during a Warranty Period, Customers' sole and exclusive remedy will be under this limited warranty, subject to the terms herein, for the reimbursement of Covered Expenses that directly result from such Security Incident ("Payments") up to a maximum amount not to exceed the applicable Limit set forth in Section 3 (Limits of Liability).
This limited warranty extends only to Customer and its Covered Expenses, and unless explicitly agreed by Rapid7 in writing, does not extend to Customer's Affiliates or any of their losses or damages, nor does it extend to any third parties (including, but not limited to, suppliers, service providers, end-clients, employees or agents of Customer) or any of their losses or damages.
3. Limits of Liability
Covered Costs: Customer Covered Endpoints | Limit (in USD) |
500-4,999 | $100,000 |
5,000-10,000 | $500,000 |
10,001 and above | $1,000,000 |
Aggregate Payments for multiple Security Incidents that have Discovery Dates in the Warranty Period shall not exceed the Limit for such Warranty Period.
4. Reimbursement Eligibility
To be eligible for Payments:
a) During the entirety of the Warranty Period: (i) Customer must have a valid MTC Ultimate subscription, and (ii) Customer's Covered Endpoint must be in the Measured Security Posture (or higher) at all times;
b) At the time the Security Incident first occurs, Customer must be using the most-recent version of the Rapid7 agent made available by Rapid7 to Customer on the Endpoint(s) that experienced such Security Incident;
c) The Event Date and Discovery Date of the Security Incident must occur during the Warranty Period;
d) Customer must notify Rapid7 in accordance with Section 6 below;
e) Customer must be in compliance with its Customer Agreement, including without limitation any payment obligations; and
f) During the entirety of the Warranty Period, Customer must reasonably cooperate with Rapid7, including without limitation by implementing all reasonable remediation steps provided by Rapid7 and providing all reasonably requested information and complying with the reimbursement process set forth in Section 5 (Reimbursement Request Process).
5. Reimbursement Request Process:
a) Reimbursement Request Requirements. A separate Reimbursement Request must be submitted to Rapid7 for each Security Incident. Such Reimbursement Request shall include all information available to Customer regarding the Security Incident.
b) Submission of Reimbursement Request. Rapid7 shall review the Reimbursement Request and Customer shall provide any additional information reasonably requested by Rapid7 at any time. by submitting the Reimbursement Request to Rapid7, Customer authorizes Rapid7 to share any information that is reasonably necessary to assess the validity of the Reimbursement Request with Carrier, provided Carrier is under an obligation to keep such information confidential. If Carrier denies coverage to Rapid7 for any Reimbursement Request, notwithstanding anything to the contrary in this Warranty Agreement, Rapid7 shall have no obligation to make any Payments for such Reimbursement Request to Customer.
c) Payments. Rapid7 shall have no obligation to make Payments that are prohibited by law. Customer shall submit proof of Covered Expenses in accordance with Rapid7's instructions. During the Warranty Period and for a period of three (3) years thereafter, Rapid7 shall have the right at its own expense to inspect, and Customer shall maintain and provide, Customer's records related to such Covered Expenses upon unreasonable written request during regular business hours.
6. Notice.
If Rapid7 discovers a Security Incident during the Warranty Period that occurred during such Warranty Period, Rapid7 shall notify Customer of such Security Incident in accordance with Rapid7's then-applicable MTC Ultimate documentation. If Customer discovers during the Warranty Period a Security Incident that occurred during such Warranty Period, Customer shall notify Rapid7 of such Security Incident by sending an email to [email protected] no later than seventy-two (72) hours after the Discovery Date of such Security Incident. Customer shall have thirty (30) days from (a) the date Rapid7 provides notice of Security Incident to Customer, or (b) Customer provides notice of a Security Incident to Rapid7 to notify Rapid7 of Customer's intent to request Payments by sending an email to [email protected] ("Reimbursement Request").
7. Exclusions:
This limited warranty does not extend to Pre-existing Incidents or Related Security Incidents that include a Pre-existing Incident. All Covered Expenses resulting from a Related Security Incident shall be subject to the terms, conditions, exclusions and Limits of Liability of the Warranty Period in effect on the Discovery Date of the first discovered Security Incident that forms part of the Related Security Incident.
8. Choice of Law:
The terms of this Warranty Agreement will be governed by and construed in accordance with the laws of the State of Delaware. The 1980 United Nations Convention on Contracts for the International Sale of Goods and its related instruments will not apply to this agreement.
9. Dispute Resolution:
Notwithstanding any dispute resolution or venue provisions in any Customer Agreement, any dispute, claim, or controversy arising out of or relating to this Warranty Agreement or the existence, breach, termination, enforcement, interpretation, or validity of this Warranty Agreement, including the determination of the scope or applicability of this arbitration clause, (each, a "Dispute") shall be referred to and finally resolved by arbitration under the rules of the American Arbitration Association in force on the date when the notice of arbitration is submitted in accordance with such rules (which rules are deemed to be incorporated by reference into this clause) on the basis that the governing law is the law of the State of Delaware, USA; and (2) any Customer claims under the Customer Agreement that are in any way related to a Dispute or MTC Ultimate shall also be subject to this arbitration provision. The seat, or legal place, of arbitration shall be the State of Delaware, USA.
The arbitral panel shall consist of three (3) arbitrators, selected as follows: each party shall appoint one (1) arbitrator; and those two (2) arbitrators shall discuss and select the third arbitrator. If the two party-appointed arbitrators are unable to agree on a third arbitrator, the third arbitrator shall be selected in accordance with the applicable rules of the arbitration body. Each arbitrator shall be independent of all parties to the arbitration and shall have suitable experience and knowledge in the subject matter of the Dispute. Judgement upon the award so rendered may be entered in a court having jurisdiction or application may be made to such court for judicial acceptance of any award and an order of enforcement, as the case may be. The language to be used in the arbitral proceedings shall be English.
10. Term, Termination & Assignment:
This Warranty Agreement shall commence on the Warranty Inception Date and continue for the term of the Customer's then-current MTC Ultimate subscription ("Warranty Period"), unless terminated earlier accordance with this section 10 or the Customer Agreement. This Warranty Agreement may be terminated by Rapid7, with immediate effect, for convenience and for any reason in Rapid7's sole direction and Rapid7 will have no further liabilities to Customer under this Warranty Agreement. Termination of the Customer Agreement and/or Customer's MTC Ultimate subscription shall automatically terminate this Warranty Agreement. Termination of this Warranty Agreement shall not terminate the Customer Agreement or Customer's MTC Ultimate subscription.
Customer may not assign this Warranty Agreement without the prior written consent of Rapid7, except to an Affiliate in connection with a corporate reorganization or in connection with a merger, acquisition, or sale of all or substantially all of its business and/or assets provided Customer provides Rapid7 with notice of any such assignment no later than thirty (30) days after such assignment or change in control event is public. Any assignment in violation of this Section 10 shall be void and shall void this Warranty Agreement. Subject to the foregoing, all rights and obligations of the parties under this Warranty Agreement shall be binding upon and inure to the benefits of and be enforceable by and against the successors and permitted assigns.
Except to the extent a Reimbursement Request arises out of an event that is later determined (1) not a Security Incident, or (2) to relate to a Pre-Existing Incident, Rapid7 hereby waives any and all rights it has or may have to reimbursement of Payments from Customer. Customer shall promptly (but in no event later than 30 days after written notice) reimburse Rapid7 for all Payments related to a Reimbursement Request that arises out of an event that is later determined not to be a Security Incident or that relates to a Pre-Existing Incident.
11. Insurance.
Rapid7 has obtained one or more insurance policies to cover its obligations under this Warranty Agreement. Customer is not an insured or intended third party beneficiary under such insurance policies, and hereby waives any rights it may have as a third party beneficiary under such insurance policies. Customer shall not communicate with Carrier without Rapid7's prior to written consent. Where approved by Rapid7, Customer agrees to communicate directly with Carrier regarding Reimbursement Requests and to provide the same information and cooperation required under this Warranty Agreement to any Carrier issuing such an insurance policy. Notwithstanding the foregoing or anything else herein to the contrary, (a) the parties do not intend for this Warranty Agreement to be deemed a contract of insurance under any laws or regulations and (b) this Warranty Agreement shall be null and void in any country or other jurisdiction in which it is deemed to be a contract of insurance.
12. Updates.
Rapid7 reserves the right to modify this Warrant Agreement at its sole discretion. Should Rapid7 make any modifications to the Warranty Agreement, Rapid7 will post the amended terms at https://www.rapid7.com/legal/breach-protection-warranty-terms/ or provide notification by such other reasonable notification method implemented by Rapid7.
13. Warranty Disclaimer.
EXCEPT AS SPECIFICALLY SET FORTH HEREIN AND/OR WITHIN THE CUSTOMER AGREEMENT AND TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, RAPID7 AND ITS AFFILIATES AND SUPPLIERS SPECIFICALLY DISCLAIM ANY OTHER EXPRESS, IMPLIED OR STATUTORY WARRANTIES, INCLUDING WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE WITH RESPECT TO MTC ULTIMATE. RAPID7 AND ITS AFFILIATES AND SUPPLIERS DO NOT WARRANT THAT MTC ULTIMATE WILL MEET CUSTOMER'S REQUIREMENTS, PURPOSES OR NEEDS, OR THAT IT WILL BE ERROR FREE, OR THAT IT WILL OPERATE WITHOUT INTERRUPTION. CUSTOMER AGREES THAT IT IS CUSTOMER'S RESPONSIBILITY TO ENSURE SAFE USE OF MTC ULTIMATE ON ENDPOINTS INTERFACING WITH SUCH APPLICATIONS AND SYSTEMS.
14. Limitation of Liability.
TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, FOR ANY CAUSE RELATED TO OR ARISING OUT OF THIS WARRANTY AGREEMENT, WHETHER IN AN ACTION BASED ON A CONTRACT, TORT (INCLUDING NEGLIGENCE AND STRICT LIABILITY) OR ANY OTHER LEGAL THEORY, HOWEVER ARISING, RAPID7 WILL IN NO EVENT BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR LOST REVENUES, LOST PROFITS, LOST BUSINESS OPPORTUNITIES OR LOST GOODWILL, LOST DATA, DATA RESTORATION OR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES OR SUCH DAMAGES OR LOSSES WERE REASONABLY FORESEEABLE. IN NO EVENT WILL RAPID7'S LIABILITY UNDER OR ARISING FROM THIS WARRANTY AGREEMENT EXCEED THE AGGREGATE LIMIT OF LIABILITY IN SECTION 3 (LIMITS OF LIABILITY). Multiple claims or Security Incidents shall not expand the limitation specified in the foregoing sentence. Any Payments, damages or losses paid under this Warranty Agreement shall accrue towards any limit of liability set forth in the Customer Agreement. If such limitation of liability is determined to be invalid under applicable law, this Warranty Agreement shall be deemed null and avoid.
15. Entire Agreement.
This Warranty Agreement constitutes the entire agreement between Customer and Rapid7 concerning the subject matter of this Warranty Agreement and it supersedes any prior or concurrent proposals, agreements, understandings, or other communications between the parties, oral or written, regarding such subject matter. For the avoidance of doubt, this Warranty Agreement is in addition to the Customer Agreement and except as expressly set forth herein, nothing in this Warranty Agreement is intended to supersede, modify or amend the Customer Agreement, including the warranties therein. This Warranty Agreement is not intended to and shall not be construed to give any third party any interest or rights (including, without limitation, any third party beneficiary rights) with respect to or in connection with any agreement or provision contained herein or contemplated hereby.
Appendix A
Technical Requirement for Warranty Coverage
Platform & Agent Configuration
To qualify for Rapid7's breach protection warranty, all Covered Endpoints must meet the following minimum requirements:
- Protection mode: Set to prevention.
- Security engines: All engines must be enabled.
- Cloud Connectivity: Must NOT be disabled.
- Anti-Tamper: Must be turned ON.
- Agent Version: The latest Generally Available (GA) version of the Insight Agent must be deployed before any ransomware infection.
- Pending Actions: No pending actions (e.g., required system reboot) should exist on any Covered Endpoint.
- Management Console: Customer must be using a supported version of the Rapid7 management console.
- Exclusions: Any exclusions listed in the Rapid7 Knowledge Base "Not Recommended Exclusions" article must NOT be applied in the Management Console or Endpoints.
- Multi-Factor Authentication (2FA): Must be enabled in the management console.
- Ransomware Prevention Module: Set to prevention or detection.
Operating System & Endpoint Compliance
- The Warranty Agreement applies to standard (not legacy) Windows agents and supported versions of Microsoft Windows, as specified in Rapid7's official system documentation.
- Each Endpoint must be free of malware before installing the Windows Insight Agent.
- The Operating System (OS) must be fully updated and patched for all security updates.
- All vulnerable applications must be updated to their latest release versions.
- Volume Shadow Copy Service (VSS) must be enabled and functioning on all Windows endpoints.
- VSS Disk Space Usage allocation must be configured to at least 10% of total disk space on all drives.
- No Potentially Unwanted Programs (PUPs) flagged as "Not Recommended" in Rapid7 documentation should be installed on the Endpoint.
- Rapid7's Windows Insight Agent must be deployed alongside either:
- Rapid7's own Endpoint Detection and Response capabilities, or
- An approved third-party Next Generation Antivirus (NGAV) or Endpoint Detection & Response (EDR) solution from Rapid7's recommended vendor list.
Exclusions
This Warranty Agreement does not apply to:
- Pre-existing incidents: Breaches that occurred before the Warranty Inception Date.
- Negligence or intentional misconduct: Breaches caused by failure to implement Rapid7 recommended security practices or intentional misuse of systems.
- Unsupported configurations: Endpoints or systems not monitored or managed through the Rapid7 Insight Platform.
- Cyber extortion payments: Any payments made to threat actors as part of ransomware or extortion demands.