VPN Access User Security Guidelines – Third Party

VIRTUAL PRIVATE NETWORK (VPN) TERMS OF USE THIRD PARTY USERS

This VPN Terms of Use (“Terms of Use”) is entered by and between User and Boise Cascade Company (“Boise Cascade,” “we,” “our,” “us”) and applies to all usage of Boise Cascade’s Virtual Private Network (“BC VPN”) and information technology (IT) systems (“IT Systems”) by all vendors, contractors and other third parties who are granted access to the BC VPN by Boise Cascade (“User” or “Users”). Users shall abide by these Terms of Use at risk of loss of access, termination of the service contract, or both. Limitations on disclosure of any information covered under these Terms of Use shall survive the modification or elimination of User’s access to the BC VPN.

BY ACCESSING AND USING THE BC VPN, USER WARRANTS THAT USER IS AUTHORIZED TO ACCESS AND USE THE BC VPN, HAS READ THESE TERMS OF USE, AND UNDERSTANDS AND AGREES TO ABIDE BY THE TERMS AND CONDITIONS CONTAINED HEREIN.

1. ELIGIBILITY

1.1. User must be authorized by Boise Cascade prior to access and use of the BC VPN. Unauthorized access and use the BC VPN is strictly prohibited. User may not assign or transfer any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by operation of law, or otherwise, without the prior written consent Boise Cascade. Any purported assignment, transfer, or delegation in violation of these Terms of Use is null and void.

1.2. Access and use of the BC VPN is a privilege granted to User by Boise Cascade subject to the terms and conditions contained herein. If User does not abide by our terms and conditions, then we reserve the right to revoke the privilege granted herein and terminate User’s access to the BC VPN and IT Systems.

1.3. You are expected to read, understand, and follow these Terms of Use. However, no single policy can cover all the possible information security issues User may face. User must seek guidance from Boise Cascade before taking any actions that create information security risks or otherwise deviate from these Terms of Use. We may treat any failure to seek and follow such guidance as a violation of these Terms of Use.

1.4. Except where applicable law provides otherwise, User should have no expectation of privacy when using our IT Systems, including, but not limited to, transmitting and storing files, data, and messages. To enforce compliance with our policies and protect our interests, we reserve the right to monitor any use of our IT Systems to the extent permitted by applicable law. By using Boise Cascade’s IT Systems, User agrees to such monitoring. Monitoring may include (but is not necessarily limited to) intercepting and reviewing network traffic, emails, or other messages or data sent or received and inspecting data stored on individual file directories, devices, or other printed or online media.

2. OWNERSHIP 

2.1. The policies referenced in these Terms of Use are aimed to ensure the security and protect the integrity of our IT Systems and the Data belonging to us. All data and electronic files created, sent, received, or stored on Boise Cascade owned, leased, or administered equipment or otherwise under the custody and control of Boise Cascade are the property of Boise Cascade (our “Data”). User acknowledges that, as between User and Boise Cascade, Boise Cascade owns all right, title, and interest, including all intellectual property rights, in and to the Data. User further acknowledges that: (i) the Data is an original compilation protected by United States copyright laws; (ii) Boise Cascade has dedicated substantial resources to collect, manage, and compile the Data; and (iii) the Data constitutes trade secrets of Boise Cascade. Data collected, stored, backed up, processed, or accessed using the BC VPN must be protected according to Boise Cascade’s policies and procedures, including, but not limited to Section 3.

2.2. Except for the limited rights expressly granted under these Terms of Use, nothing herein grants, by implication, waiver, estoppel, or otherwise, to User or any third party any intellectual property rights or other right, title, or interest in or to the Data.

3. CONFIDENTIALITY 

3.1. From time to time, either Party may disclose or make available to the other Party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether orally or in written, electronic, or other form or media/in written or electronic form or media, that is/and whether or not marked, designated, or otherwise identified as “confidential” (collectively, “Confidential Information”). Without limiting the foregoing, for purposes of these Terms of Use, the Data will be deemed Confidential Information of Boise Cascade. Confidential Information does not include information that, at the time of disclosure is: (i) in the public domain; (ii) known to the receiving Party at the time of disclosure; (iii) rightfully obtained by the receiving Party on a non-confidential basis from a third party; or (iv) independently developed by the receiving Party. 

3.2. The receiving Party shall not disclose the disclosing Party’s Confidential Information to any person or entity, except to the receiving Party’s employees who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder. Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required (i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given written notice to the other Party and made a reasonable effort to obtain a protective order; or (ii) to establish a Party’s rights under these Terms of Use, including to make required court filings. 

3.3. Upon cessation of the BC VPN, the receiving Party shall promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, or destroy all such copies and certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party’s obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five years from the date first disclosed to the receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive for as long as such Confidential Information remains subject to trade secret protection under applicable law.

3.4. User shall use all reasonable legal, organizational, physical, administrative, and technical measures and security procedures to safeguard and ensure the security of the Data and to protect the Data from unauthorized access, disclosure, duplication, use, modification, or loss.

4. SECURITY AND ACCEPTABLE USE

4.1. User’s compliance with the following terms and conditions is mandatory:

    • User may only access the BC VPN using approved end-user devices that support our current minimum information security standards. Standards for end-user devices may include protective controls and specific configurations, such as anti-malware software, patching levels, and required operating system or other software versions. User may be denied remote access using devices that do not meet current standards. All computers connected to Boise Cascade’s network must: (i) use a market-leading anti-virus protection with the latest updates and signature files installed, (ii) remain updated with the latest critical operating systems patches, and (iii) use compatible firewall protection. Computers that do not comply with these requirements or are found to be infected with viruses or worms will be disconnected from Boise Cascade’s IT Systems. Boise Cascade shall not be responsible for any data loss or other damage that might result from such disconnection. 
    • When remotely connected to the BC VPN, User shall adhere to the same Boise Cascade rules and regulations that apply to on-site usage.
    • User must be physically present at the console of the computer and shall disconnect an active VPN connection when away from their computer, or User shall secure the computer to prevent unauthorized access to Boise Cascade’s network when the computer is unattended. Screen saver passwords, also known as “workstation timeouts” or “lock screens,” secure confidential information by protecting active computer sessions when User steps away. Locking screen savers must activate after a maximum inactivity time of [TIME LIMIT] minutes. 
    • Users authorized to access the BC VPN will be authenticated through User’s Boise Cascade network User ID and password. Users shall safeguard their VPN access credentials as well as its components (software/security token, if any) from any unauthorized use, and shall prevent unauthorized access to the BC VPN from any VPN-connected computer.
    • Users are required to have an account on the BC MS-Entra tenant with at least one MFA factor registered on the Entra account in order to access the BC VPN. An iOS or Android device can be registered for push notifications, mobile numbers for SMS, or landline numbers for callback. 

5. PROHIBITED ACTIVITIES 

5.1. Use of the BC VPN in the performance of activities unrelated to User’s work for Boise Cascade is strictly prohibited, including incidental personal use of Boise Cascade’s IT Systems. Users must not intentionally access, create, store, or transmit material which Boise Cascade may deem to be offensive, indecent, or obscene. 

5.2. Users shall not share any Data with any product offering that utilizes Artificial Intelligence (AI), Large Language Models (LLM), or Machine Learning (ML) technologies without Boise Cascade’s prior written consent. 

5.3. Under no circumstances is User authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing Boise Cascade-owned resources. If we suspect illegal activities, we reserve the right to report them to the appropriate authorities and aid in any investigation or prosecution of the individuals involved.

5.4. The following activities are also prohibited by Users, with no exceptions:  

    • Violations of the rights of any person or entity protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Boise Cascade. 
    • Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). 
    • Revealing User’s account password to others or allowing use of User’s account by others. This includes family and other household members when work is being done at home. 
    • Using Boise Cascade-owned resources to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws. 
    • Attempting to access any data, electronic content, or programs contained on our IT Systems for which User does not have authorization, explicit written consent, or implicit need for User’s job duties. 
    • Installing any software, upgrades, updates, or patches on any computer or information system, installing or using non-standard shareware or freeware software, and/or installing, disconnecting, or moving any Boise Cascade-owned computer equipment and peripheral devices without Boise Cascade’s prior written consent. 
    • Purposely engaging in activity that degrades the performance of information systems, deprives an authorized user access to a Boise Cascade resource, obtains extra resources beyond those allocated, or circumvents Boise Cascade’s security measures such as downloading, installing, or running security programs or utilities that reveal passwords, private information, or exploit weaknesses in the security of a system. For example, Users must not run spyware, adware, password cracking programs, packet sniffers, port scanners, or any other nonapproved programs on our IT Systems. 
    • Circumventing user authentication or security of any host, network, or account. 
    • Interfering with, or denying service to, any user other than the employee’s host (for example, denial of service attack). 
    • Bridging Boise Cascade’s network to another network using the BC VPN connection.

6. INDEMNIFICATION

6.1. IN CONSIDERATION FOR USE OF THE BC VPN AND IT SYSTEMS, USER SHALL INDEMNIFY, HOLD HARMLESS, AND, AT BOISE CASCADE’S OPTION, DEFEND BOISE CASCADE FROM AND AGAINST ANY LOSSES RESULTING FROM ANY THIRD-PARTY CLAIM BASED ON USER’S: (I) NEGLIGENCE OR WILLFUL MISCONDUCT; (II) VIOLATION OF THESE TERMS OF USE; OR (III) USE OF THE DATA IN A MANNER NOT AUTHORIZED BY THIS AGREEMENT, PROVIDED THAT USER MAY NOT SETTLE ANY THIRD-PARTY CLAIM AGAINST BOISE CASCADE UNLESS SUCH SETTLEMENT COMPLETELY AND FOREVER RELEASES BOISE CASCADE FROM ALL LIABILITY WITH RESPECT TO SUCH THIRD-PARTY CLAIM OR UNLESS BOISE CASCADE CONSENTS TO SUCH SETTLEMENT, AND FURTHER PROVIDED THAT BOISE CASCADE SHALL HAVE THE RIGHT, AT ITS OPTION, TO DEFEND ITSELF AGAINST ANY SUCH THIRD-PARTY CLAIM OR TO PARTICIPATE IN THE DEFENSE THEREOF BY COUNSEL OF ITS OWN CHOICE.

7. DISCLAIMER OF WARRANTIES

7.1. THE BC VPN IS PROVIDED “AS IS” AND BOISE CASCADE HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. BOISE CASCADE SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. BOISE CASCADE MAKES NO WARRANTY OF ANY KIND THAT THE BC VPN, OR ANY PRODUCTS OR RESULTS OF ITS USE, WILL MEET USER’S OR ANY OTHER PERSON’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM, OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE.