Common use of Network Service Protection Requirements Clause in Contracts

Network Service Protection Requirements. All licensed content must be received in an encrypted format and stored at content processing and storage facilities and access control policies must be enforced, including by limiting and controlling physical access to servers. Document security policies and procedures shall be in place. Documentation of policy enforcement and compliance shall be continuously maintained. Access to video content in unprotected format must be limited to authorized personnel and auditable records of actual access shall be maintained. Physical access to servers must be limited and controlled. Content servers must be protected from general internet traffic by “state of the art” protection systems including, without limitation, firewalls, virtual private networks, and intrusion detection systems. All systems must be regularly updated to incorporate the latest security patches and upgrades. High-Definition Restrictions & Requirements In addition to the foregoing requirements, all HD content (and all Stereoscopic 3D content) is subject to the following set of restrictions & requirements: General Purpose Computer Platforms. HD content is expressly prohibited from being delivered to and playable on General Purpose Computer Platforms (e.g. PCs, Tablets, Mobile Phones) unless explicitly approved by CDD. If approved by CDD, the additional requirements for HD playback on General Purpose Computer Platforms will be: Allowed Platforms. HD content for General Purpose Computer Platforms is only allowed on the device platforms (operating system, Content Protection System, and device hardware, where appropriate) specified below: Android. HD content is only allowed on the Android operating systems as follows: Ice Cream Sandwich (4.0) or later versions: when protected using the implementation of Widevine built into Android, or all versions of Android: when protected using an Ultraviolet approved DRM or Ultraviolet Approved Streaming Method (as listed in section 2 of this Schedule) either: implemented using hardware-enforced security mechanisms (e.g. ARM Trustzone) or implemented by a CDD-approved implementer, or all versions of Android: when protected by a CDD-approved content protection system implemented by a CDD-approved implementer iOS. HD content is only allowed on the iOS operating systems (all versions thereof) as follows: when protected by an Ultraviolet approved DRM or Ultraviolet Approved Streaming Method (as listed in section 2 of this Schedule) or other CDD-approved content protection system, and CDD content shall NOT be transmitted over Apple Airplay and applications shall disable use of Apple Airplay, and where the provisioned HLS implementation is used (e.g. so that native media processing can be used), the connection between the approved DRM client and the native HLS implementation shall be robustly and effectively secured (e.g. by mutual authentication of the approved DRM client and the native HLS implementation) Windows: HD content is only allowed on Windows Operating System devices supporting the Windows Vista, XP (incorporating Service Pack 2), Windows 7 and 8 operating system (all forms thereof) when protected by an Ultraviolet Approved DRM or Ultraviolet Approved Streaming Method (as listed in section 2 of this Schedule) or other CDD-approved content protection system. Mac OS: HD content is allowed on the integrated screens of devices using Mac OS version 10.5 (and successor versions) with digital outputs subject to the requirements outlined in Section 12.iii. Robust Implementation

Network Service Protection Requirements. All licensed content must be received in an encrypted format and stored at content processing and storage facilities in a protected and access control policies must be enforced, including by limiting and controlling physical access to serversencrypted format using an industry standard protection systems. Document security policies and procedures shall be in place. Documentation of policy enforcement and compliance shall be continuously maintained. Access to video content in unprotected format must be limited to authorized personnel and auditable records of actual access shall be maintained. Physical access to servers must be limited and controlledcontrolled and must be monitored by a logging system. Auditable records of access, copying, movement, transmission, backups, or modification of content must be securely stored for a period of at least one year. Content servers must be protected from general internet traffic by “state of the art” protection systems including, without limitation, firewalls, virtual private networks, and intrusion detection systems. All systems must be regularly updated to incorporate the latest security patches and upgrades. All facilities which process and store content must be available for Motion Picture Association of America and Licensor audits upon the request of Licensor. Content must be returned to Licensor or securely destroyed pursuant to the Agreement at the end of such content’s license period including, without limitation, all electronic and physical copies thereof. High-Definition Restrictions & Requirements In addition to the foregoing requirements, all HD content (and all Stereoscopic 3D content) is subject to the following set of restrictions & requirements: General Purpose Computer Platforms. HD content is expressly prohibited from being delivered to and playable on General Purpose Computer Platforms (e.g. PCs, Tablets, Mobile Phones) unless explicitly approved by CDDLicensor. If approved by CDDLicensor, the additional requirements for HD playback on General Purpose Computer Platforms will be: Allowed Platforms. HD content for General Purpose Computer Platforms is only allowed on the device platforms (operating system, Content Protection System, and device hardware, where appropriate) specified below: Android. HD content is only allowed on Tablets and Mobiles Phones supporting the Android operating systems as follows: Ice Cream Sandwich (4.0) or later versions: when protected using the implementation of Widevine built into Android, or all versions of Android: when protected using an Ultraviolet approved DRM or Ultraviolet Approved Streaming Method (as listed in section 2 of this Schedule) either: implemented using hardware-enforced security mechanisms (e.g. ARM Trustzone) or implemented by a CDDLicensor-approved implementer, or all versions of Android: when protected by a CDDLicensor-approved content protection system implemented by a CDDLicensor-approved implementer iOS. HD content is only allowed on Tablets and Mobiles Phones supporting the iOS operating systems (all versions thereof) as follows: when protected by an Ultraviolet approved DRM or Ultraviolet Approved Streaming Method (as listed in section 2 of this Schedule) or other CDDLicensor-approved content protection system, and CDD Licensor content shall NOT be transmitted over Apple Airplay and applications shall disable use of Apple Airplay, and where the provisioned HLS implementation is used (e.g. so that native media processing can be used), the connection between the approved DRM client and the native HLS implementation shall be robustly and effectively secured (e.g. by mutual authentication of the approved DRM client and the native HLS implementation) Windows: Windows 7 and 8. HD content is only allowed on Windows Operating System devices Personal Computers, Tablets and Mobiles Phones supporting the Windows Vista, XP (incorporating Service Pack 2), Windows 7 and 8 operating system (all forms thereof) when protected by an Ultraviolet Approved DRM or Ultraviolet Approved Streaming Method (as listed in section 2 of this Schedule) or other CDDLicensor-approved content protection system. Mac OS: Robust Implementation Implementations of Content Protection Systems on General Purpose Computer Platforms shall use hardware-enforced security mechanisms, including secure boot and trusted execution environments, where possible. Implementation of Content Protection Systems on General Purpose Computer Platforms shall, in all cases, use state of the art obfuscation mechanisms for the security sensitive parts of the software implementing the Content Protection System. All General Purpose Computer Platforms (devices) deployed by Licensee after end December 31st, 2013, SHALL support hardware-enforced security mechanisms, including trusted execution environments and secure boot. All implementations of Content Protection Systems on General Purpose Computer Platforms deployed by Licensee (e.g. in the form of an application) after end December 31st, 2013, SHALL use hardware-enforced security mechanisms (including trusted execution environments) where supported, and SHALL NOT allow the display of HD content where the General Purpose Computer Platforms on which the implementation resides does not support hardware-enforced security mechanisms. Digital Outputs: For avoidance of doubt, HD content may only be output in accordance with section “Digital Outputs” above unless stated explicitly otherwise below. If an HDCP connection cannot be established, as required by section “Digital Outputs” above, the playback of content over an output on a General Purpose Computing Platform (either digital or analogue) must be limited to a resolution no greater than Standard Definition (SD). With respect to playback in HD over analog outputs, Licensee shall either (i) prohibit the playback of such HD content over all analogue outputs on all such General Purpose Computing Platforms or (ii) ensure that the playback of such content over analogue outputs on all such General Purpose Computing Platforms is allowed on limited to a resolution no greater than SD. Notwithstanding anything in this Agreement, if Licensee is not in compliance with this Section, then, upon Licensor’s written request, Licensee will temporarily disable the integrated screens availability of devices using Mac OS version 10.5 content in HD via the Licensee service within thirty (30) days following Licensee becoming aware of such non-compliance or Licensee’s receipt of written notice of such non-compliance from Licensor until such time as Licensee is in compliance with this section “General Purpose Computing Platforms”; provided that: if Licensee can robustly distinguish between General Purpose Computing Platforms that are in compliance with this section “General Purpose Computing Platforms”, and successor versions) General Purpose Computing Platforms which are not in compliance, Licensee may continue the availability of content in HD for General Purpose Computing Platforms that it reliably and justifiably knows are in compliance but is required to disable the availability of content in HD via the Licensee service for all other General Purpose Computing Platforms, and in the event that Licensee becomes aware of non-compliance with digital outputs subject this Section, Licensee shall promptly notify Licensor thereof; provided that Licensee shall not be required to the requirements outlined in Section 12.iii. Robust Implementationprovide Licensor notice of any third party hacks to HDCP.