AAG Phishing Awareness Training Terms and Conditions
THE PHISHING AWARENESS TRAINING TERMS OF SERVICE (THE “AGREEMENT”) GOVERN CUSTOMER’S ACCESS AND USE OF PHISHING AWARENESS TRAINING’S SUBSCRIPTION SERVICES. “PHISHING AWARENESS TRAINING” SHALL MEAN PHISHING AWARENESS TRAINING, INC. AND ITS SUBSIDIARIES. IF CUSTOMER HAS FULLY EXECUTED A MASTER AGREEMENT WITH PHISHING AWARENESS TRAINING, SUCH MASTER AGREEMENT WILL GOVERN THE ACCESS AND USE OF THE SUBSCRIPTION SERVICES. CAPITALIZED TERMS HAVE THE DEFINITIONS SET FORTH HEREIN. BY ACCEPTING THIS AGREEMENT, EITHER BY: (1) CLICKING A BOX INDICATING ACCEPTANCE THROUGH THE SUBSCRIPTION SERVICES; (2) EXECUTING A QUOTE THAT REFERENCES THIS AGREEMENT; OR (3) USING PHISHING AWARENESS TRAINING’S SUBSCRIPTION SERVICES, CUSTOMER AGREES TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT IS ACCEPTING ON BEHALF OF AN ORGANIZATION OR LEGAL ENTITY, SUCH INDIVIDUAL REPRESENTS AND WARRENTS THAT THEY HAVE THE FULL POWER AND AUTHORITY TO BIND SUCH ORGANIZATION AND ITS AFFILIATES TO THESE TERMS, IN WHICH CASE THE TERM “CUSTOMER” SHALL REFER TO SUCH ORGANIZATION AND ITS AFFILIATES. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT DOES NOT HAVE SUCH AUTHORITY OR DOES NOT AGREE WITH THESE TERMS, SUCH INDIVIDUAL MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SUBSCRIPTION SERVICES. Customer and Phishing Awareness Training may be referred to in this Agreement individually as a “party” or jointly as the “parties.” This Agreement governs all access and use of Phishing Awareness Training’s Subscription Services, as defined below, provided by Phishing Awareness Training to Customer. Phishing Awareness Training may update or make changes to this Agreement from time to time. Phishing Awareness Training encourages Customer to periodically review and check this Agreement for updates to stay informed about the terms that govern Customer’s use of the Subscription Services. Customer’s continued use of the Subscription Services after Phishing Awareness Training makes any changes is deemed to be an acceptance of those changes. The Subscription Services may not be accessed for purposes of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes, or as otherwise restricted by this Agreement. Phishing Awareness Training’s direct competitors (or third party agents acting on behalf of such direct competitors) are prohibited from accessing the Subscription Services.
1. Definitions. For purposes of this Agreement:
o “Active User(s)” means Customer’s Users with active assigned Seats.
o “Affiliate” means an entity that, directly or indirectly, through one or more entities, controls; is controlled by; or is under common control with, the specified entity.
o “Beta Services” means the second phase of software testing in which a sampling of the intended audience samples a service prior to its general release where Customer, in return, provides Phishing Awareness Training feedback about the Beta Services.
o “Channel Partner” means an authorized Phishing Awareness Training reseller, distributor, or managed service provider through which Customer may acquire the Subscription Services and/or Professional Services.
o “Confidential Information” means all information or material disclosed by a party (the “Disclosing Party”) to the other party (the “Receiving Party”), whether orally or in writing, that: (a) gives either party some competitive business advantage, gives either party an opportunity of obtaining some competitive business advantage, or the disclosure of which may be detrimental to the interests of the Disclosing Party; and (b) is either: (i) marked “Confidential,” “Restricted,” “Proprietary,” or includes other similar markings; (ii) known by the parties to be confidential and proprietary; or (iii) from all the relevant circumstances should reasonably be assumed to be confidential and proprietary. The Subscription Services are deemed Confidential Information of Phishing Awareness Training.
o “Customer Privacy Notice” means Phishing Awareness Training’s Customer Privacy Notice located at Phishing Awareness Training.com/product-privacy-notice, or such other URL locations on Phishing Awareness Training’s website as Phishing Awareness Training may provide from time to time.
o “Documentation” means Phishing Awareness Training’s then-current generally available knowledge base that contains usage documentation, specifications, user manuals, and support guidance for the Subscription Services.
o “LMS” means a learning management system for the administration, documentation, tracking, reporting, and delivery of Training Content, that includes any e-learning education courses or training programs. Phishing Awareness Training provides a cloud-based LMS through its Web Hosted Services. Upon approval by Phishing Awareness Training, Customer may also opt to use its own, or a third party’s, LMS in accordance with the terms of this Agreement.
o “Professional Services” means any professional services, including implementation and installation services, managed services, consultancy services, or customization and branding services of Training Content as agreed upon by the parties and set forth in a Quote. Phishing Awareness Training may require Customer to enter into a statement of work (“SOW”) detailing the Professional Services to be performed.
o “Quote” means a purchasing document or other similar document, such as a purchase order or SOW, in connection with a purchase under this Agreement.
o “Seat(s)” refers to the number of Users permitted access to the Subscription Services pursuant to the user count purchased via a Quote.
“Security Page” means Phishing Awareness Training’s security statement that provides information about Phishing Awareness Training’s security practices.
o “Software” means the object code version of any software that may be licensed by Customer under this Agreement for installation on Customer’s systems. To the extent Phishing Awareness Training delivers any updates or enhancements to Customer as part of the Support Services, such updates and enhancements will be deemed included in the definition of Software.
“Subscription Services” means any Web Hosted Services, Software, Support Services, Professional Services, Training Content, and/or other services that Phishing Awareness Training offers to Customer, including any applicable Documentation.
“Support Services” means maintenance and support of any Subscription Services provided by Phishing Awareness Training, as set forth in Exhibit A.
o “Subscription Term” means the term set forth in the respective Quote during which the Customer is granted access to the Subscription Services in accordance with this Agreement.
o “Training Content” means digital courseware, training modules, testing and training templates, games, posters, artwork, videos, newsletters, security documents, or other content and materials provided by Phishing Awareness Training and/or its third party licensors (as defined below).
o “User(s)” means Customer’s authorized employees or independent contractors, with an assigned unique business email address (i.e., an email address using a business email domain name that Customer owns or is authorized by the domain name owner to use for the purposes contemplated herein), who may access the applicable Subscription Services.
o “Web Hosted Services” means an application and/or database services hosted by Phishing Awareness Training or its agents, made available for remote access and use by Customer and its Users, under this Agreement
2.1. The Client shall pay the Charges set out in the Order(s) and otherwise arising pursuant to the provisions herein in accordance with the payment terms set out herein. AIS reserves the right to increase the Charges and will give at least 30 days’ written notice of any such intention.
2.2. AIS will issue invoices to the Client in accordance with the terms set out in the Service Agreement document.
2.3. The Client shall pay the Charges in accordance with the terms of the relevant Order or, where no payment terms are set out in an Order, within thirty (30) days of invoice date.
2.4. Unless otherwise expressly set out to the contrary in the applicable Order Forms, the Client shall pay all expenses reasonably incurred by AIS that are attributable to the provision of the Goods and/or Services. Such expenses shall include without limitation the cost of travel outside Working Hours to and from supported sites, attendance at meetings, and preparation of reports, telephone charges and courier costs.
2.5. AIS reserves the right to invoice the Client in advance in respect of all fees payable as disbursements to third parties such as hardware or software vendors. In such cases, all monies paid by the Client shall be held on account by AIS on behalf of the Client.
2.6. Except as otherwise stated the Charges are exclusive of VAT and all other taxes which shall be payable by the Client. Where applicable the Charges are also exclusive of other fees and charges payable to any third party, including but not limited to third party hardware and software suppliers, internet service providers, and domain name and Client registries.
2.7. If payment is not received by the due date, AIS is entitled to charge interest on any unpaid amount at a daily rate which shall (after, as well as before, any unsatisfied judgement in respect thereof) be five per cent (5%) per annum above the Sterling base rate of HSBC Bank Plc. AIS shall also be entitled to recover its expenses in connection with such default in payment including legal expenses and costs of collecting In the event of the Client’s failure to pay outstanding invoices, AIS reserves the right without any liability for the consequences thereof or any prejudice to the Client’s payment obligations hereunder, to suspend provision of the Services forthwith.
2.9. All amounts due under this Agreement shall be paid in full without any deduction or withholding other than as required by law and the Client shall not be entitled to assert any credit, set-off or counterclaim against AIS in order to justify withholding payment of any such amount in whole or in part.
2.10. The acceptance of any monies by AIS shall not be construed as an acceptance of such monies as the correct and full amount due and owing to AIS or as a waiver by AIS of any claims it may have against the Client.
3. Product Usage & Rights.
3.1. Subscription Services. For the duration of the Subscription Term, and in accordance with the terms of this Agreement and the Documentation, Phishing Awareness Training grants to Customer a non-exclusive, non-transferable, non-assignable right to access the applicable Subscription Services set forth in the Quote for Customer’s internal business use only, and not for resale or publication. If Software and/or Training Content downloads are enabled in the applicable Subscription Services, Customer will have the license right to download, install, use, execute, and display the Software and Training Content in accordance with this Agreement, the Documentation, and Section 4.3 (“Use of Customer or Third Party LMS”). Some Software or other components used in Phishing Awareness Training’s Subscription Services may be offered under an open source license.
3.2. Operation of the Subscription Services. The implementation and operation of Phishing Awareness Training’s Subscription Services, and any deliverables resulting from the Subscription Services, are performed by designated administrator(s) employed or contracted by Customer. Any Managed Services, as defined below, may be subject to additional fees.
3.3. Customer Users. The Subscription Services are only permitted to be used by the authorized number of Users for whom Customer paid the applicable Subscription Services fees. The Subscription Services are provided on a per-Seat, subscription basis. Customer is solely responsible for the management of access to the Subscription Services of its Users. The concurrent number of Active Users receiving access may not exceed the number of purchased Seats. If the number of Active Users exceeds the number of purchased Seats, Customer is obligated to either pay for any Seats that surpass the purchased amount or immediately reduce its number of Active Users. Customer is not permitted to freely re-assign Seats to Users. Phishing Awareness Training prohibits cycling of Seats amongst Customer’s personnel. If an Active User’s account is terminated or removed, that User’s Seat license is no longer considered active and may be allocated to another User upon written approval by Phishing Awareness Training. Notwithstanding the foregoing, Phishing Awareness Training’s approval is not required in the instance an Active User’s account is terminated or removed due to Customer’s termination of that Active User’s employment, or otherwise for termination of contract with that Active User, to account for Customer’s normal attrition in its workforce. Phishing Awareness Training reserves the right to monitor Customer’s compliance with this Section. Upon request by Phishing Awareness Training, Customer agrees to certify its compliance with this Section. Additional Seats may be added during the applicable Subscription Term and such additional Seats will be co-pending with the then-current Subscription Term and will terminate on the same date. Add-ons for more Seats, mid-Subscription Term, will be priced at the same volume, level, and term discount purchased under the applicable co-pending Quote and will be valid only until the end of such co-pending Subscription Term. New rates may apply upon renewal.
3.4. Support Services. Subscription Services are made available with standard Support Services for no additional charge. Support Services are made available in accordance with the terms and conditions set forth in Exhibit A. Notwithstanding the foregoing, Phishing Awareness Training will have no obligation to support: (a) services, hardware, or software provided by anyone other than Phishing Awareness Training; (b) Subscription Services issues caused by Customer’s negligence, abuse, or misapplication; or (c) Customer’s use of Subscription Services other than as specified in the Documentation
3.5. Limited Access Account. In the event Customer is granted access or use of any Subscription Services on an evaluation or trial period basis, including any limited access accounts created by Customer, then, subject to the terms and conditions of this Agreement, Phishing Awareness Training hereby grants Customer, solely for its internal evaluation purposes, a revocable, limited, non-exclusive, non-transferable, non-assignable right to access the included Subscription Services for the Limited Access Period, subject to any terms or limitations expressly set forth in any activation email or Quote, as applicable. Customer may only use such Subscription Services from the earlier of: (1) the date this Agreement is accepted by Customer; or (2) the date in which Customer was permitted access to the Subscription Services by way of an activation email or Quote, until the expiration date set forth in applicable activation email, or, if no expiration date is set forth in the applicable activation email, thirty (30) days after the earlier of either (a) or (b) herein (the “Limited Access Period”). Customer and Phishing Awareness Training may extend the Limited Access Period upon mutual written agreement (including via email). This evaluation license and grant of access will terminate automatically upon expiration of the Limited Access Period. At any time prior to the end of the Limited Access Period, Phishing Awareness Training may terminate the Limited Access Period for the Subscription Services without notice. Upon any termination, Customer shall discontinue use and/or access to the Subscription Services unless and until Customer has agreed to purchase a license or grant of access to use and/or access such Subscription Services. During the Limited Access Period, all terms and conditions of this Agreement will apply, except that (i) no fees will be due from Customer, unless otherwise specified; (ii) the Subscription Services will be provided without warranties or indemnities of any kind and entirely on an “as-is” basis (e.g., Sections including Support Services, warranties and Phishing Awareness Training indemnity obligations will not apply); and (iii) additional evaluation terms and conditions may appear on the trial registration web page or activation email sent by Phishing Awareness Training, on the applicable Quote provided by Phishing Awareness Training, or by way of a proof of concept agreement executed between the parties. Any such additional terms and conditions shall be incorporated into this Agreement by reference and are legally binding. Apart from the foregoing limited license and grant of access, Customer is not being granted any right, title, or interest in or to the Subscription Services. All such rights are expressly reserved by Phishing Awareness Training. CUSTOMER DATA, INFORMATION, REPORTS, MATERIALS AND/OR CONFIGURATIONS TO THE SUBSCRIPTION SERVICES MAY BE PERMANENTLY LOST OR DELETED.
3.6. Beta Services. Phishing Awareness Training may offer Beta Services to Customer at no charge. Use of the Beta Services are at the election of Customer and are for evaluation purposes only. Beta Services are not considered “Subscription Services” and do not come with Support Services. Beta Services may be subject to additional terms. Phishing Awareness Training reserves the right to discontinue the Beta Services at any time. Use of the Beta Services will automatically terminate at such time that Phishing Awareness Training makes such Beta Services generally available. Beta Services may be unpredictable and lead to erroneous results. Customer acknowledges and agrees that: (a) Beta Services are experimental and have not been fully tested; (b) Beta Services may not meet Customer’s requirements; (c) the use or operation of any Beta Services may not be uninterrupted or error free; (d) Customer’s use of any Beta Services is for purposes of evaluating and testing the Beta Services and for providing feedback to Phishing Awareness Training; (e) Customer will inform its Users regarding the nature of Beta Services; and (f) Beta Services are considered Confidential Information. Customer will promptly report any errors, defects, or other deficiencies in any Beta Services to Phishing Awareness Training. NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT, ALL BETA SERVICES ARE PROVIDED “AS-IS” AND “AS-AVAILABLE,” WITHOUT WARRANTIES OF ANY KIND. Customer hereby waives any and all claims, now known or later discovered, that Customer may have against Phishing Awareness Training, and Phishing Awareness Training’s third party providers, and Phishing Awareness Training’s third party licensors (Phishing Awareness Training’s third party providers and Phishing Awareness Training’s third party licensors, collectively, “TPPs”) arising out of Customer’s use of Beta Services.
3.8. Intellectual Property. This is not a work made-for-hire agreement, as defined by U.S. or other applicable law. Phishing Awareness Training and its licensors own and reserve all right, title, and interest, including intellectual property rights, in the Subscription Services and all enhancements, modifications, and updates thereto. All rights and licenses granted by Phishing Awareness Training to the Subscription Services under this Agreement are not, and shall not, be deemed to be rights or licenses to “intellectual property,” as such term is used and interpreted under Section 365(n) of the United States Bankruptcy Code (11 U.S.C. § 365(n)), or other applicable laws. Except for express licenses granted in this Agreement, Phishing Awareness Training is not granting any interest, express or implied, in or to Phishing Awareness Training’s intellectual property. Phishing Awareness Training reserves all rights in such property.
3.9. Feedback. Customer may provide Phishing Awareness Training with suggestions, comments, or other feedback (collectively, “Feedback”) with respect to the Subscription Services. Feedback is voluntary. Phishing Awareness Training is not obligated to hold any Feedback in confidence. Phishing Awareness Training may use Feedback for any purpose without obligation of any kind. To the extent a license is required to make use of any intellectual property in any Feedback, Customer grants Phishing Awareness Training an irrevocable, non-exclusive, perpetual, royalty-free license to use such Feedback in connection with Phishing Awareness Training’s business, including the enhancement of the Subscription Services.
3.10. Subscription Services Analytics. Phishing Awareness Training may use and reproduce data for the development, maintenance, support, and improvement of current and future Subscription Services; for tracking Subscription Services usage metrics and statistics; for analyzing and reporting on threat intelligence; for training artificial intelligence/machine learning; and for other similar purposes (the “Subscription Services Analytics”). Phishing Awareness Training owns all rights in and to the Subscription Services Analytics. To the extent such data is publicly disclosed, it will only be disclosed in a generic or aggregated manner that does not directly or indirectly identify the Customer or any individual User and will exclude Customer Confidential Information and Personal Data (as defined below). Phishing Awareness Training shall implement industry standard practice technical safeguards that prevent reidentification of data and implement industry standard practice business processes to prevent inadvertent release of Customer Data (as defined below).
4. Customer Obligations and Restrictions.
4.1. Connectivity. Customer is solely responsible for all telecommunication or Internet connections, and associated fees, required to access and use the Subscription Services, as well as all hardware and software. Phishing Awareness Training is not responsible for: (a) Customer’s access to the Internet; (b) interception or interruptions of communications through the Internet; or (c) changes or losses of data through the Internet.
4.2. User Credentials. Customer will ensure User credentials (e.g., usernames and passwords) remain confidential, and Customer and Users will not disclose any such credentials to any third party. In addition, Customer will notify Phishing Awareness Training immediately upon discovery of an unauthorized disclosure of any such credentials or upon any unauthorized access. Upon any termination of the engagement or deactivation of any User with knowledge of any such credentials, Customer will immediately change such credentials and remove access for that User. Customer may only assign Seats to Users with unique email addresses with business domain names that Customer either owns or is authorized to use by the domain name owner in accordance with this Agreement and the applicable Documentation.
4.3. Use of Customer or Third Party LMS. In the event Customer uses its own or a third party’s LMS for hosting Training Content or other such content provided by Phishing Awareness Training or TPPs, Customer will ensure strict compliance in accordance with this Agreement and will ensure an agreement is in place with any such third party that contains substantially the same level of protection for the Training Content and other such content as contained herein. After the termination or expiration of the applicable Term (as defined below), Customer will ensure all Training Content and other such content is removed from its own, or the third party’s, possession.
4.4. Affiliates. Customer, if purchasing Seats on behalf of an Affiliate, will ensure its Affiliates comply with the terms of this Agreement. The use of the Subscription Services by the Affiliate and its Users represents acceptance of the terms of this Agreement by such Affiliate and its Users for which Customer will be jointly and severally liable with its Affiliate for any breach by the Affiliate or its Users of this Agreement. No Affiliate may directly enforce any provision of this Agreement. All actions to enforce this Agreement must be brought by Customer.
4.5. Restrictions. Customer agrees not to: (a) copy, reproduce, reverse engineer, disassemble, create derivative works from, decompile, or otherwise attempt to reveal the trade secrets or know-how underlying the Subscription Services; (b) use Phishing Awareness Training’s intellectual property or Confidential Information to develop a competitive offering or otherwise copy Phishing Awareness Training’s content, materials, and/or user interface for the development of similar services; (c) remove or destroy any copyright notices, other proprietary markings, or confidentiality legends placed on or made available through the Subscription Services; (d) attempt to gain unauthorized access to, or disrupt the integrity or performance of, the Subscription Services or the data contained therein (including without limitation penetration or other such security testing); (e) use the Subscription Services for competitive analytical, benchmarking, or market research purposes; or (f) use the Subscription Services in any manner or for any purpose inconsistent with the terms of this Agreement or the Documentation.
4.6. Customer acknowledges that some of Phishing Awareness Training’s Subscription Services are designed to assist Customer in training Users and may include developing, customizing, and sending fake cyber security attack campaigns for purposes of employee training, but that Customer, and not Phishing Awareness Training or any Channel Partners, will be responsible for Customer’s compliance with all laws and governmental regulations, and any results in connection with the Customer’s use of the Subscription Services (including any reports or information produced in connection therewith).
4.7. Customer Content.
4.7.1. Depending on the Subscription Services purchased via a Quote, Customer may use Phishing Awareness Training’s Subscription Services for the hosting of its assets, content, and other materials, such as certain reports; documents; manuals; audiovisual materials; photos; videos; and audio files, to make available to Active Users on or through the Phishing Awareness Training’s LMS or Web Hosted Services (“Customer Content”). Customer shall retain ownership of the Customer Content. Subject to, and conditioned on, Customer’s and its Users’ compliance with the terms and conditions of this Agreement, during the applicable Subscription Term, Phishing Awareness Training will provide Customer and Active Users remote electronic access to the Customer Content through the Subscription Services in accordance with this Agreement. Phishing Awareness Training has the right to: (a) take any action with respect to Customer Content that it deems necessary or appropriate, in Phishing Awareness Training’s sole discretion, including if Phishing Awareness Training reasonably believes that such Customer Content violates this Agreement, infringes any intellectual property right or other right of any person or entity, threatens the personal safety of any person, or creates potential liability for Phishing Awareness Training; (b) take appropriate legal action including, without limitation, referral to law enforcement related to any illegal or unauthorized Customer Content provided by Customer; or (c) terminate or suspend Customer’s access to the Subscription Services for violation of this Agreement. Customer grants Phishing Awareness Training, its TPPs, and each of their respective licensees, successors, and assigns the right to use, reproduce, modify, perform, display, distribute, and otherwise disclose the Customer Content as necessary to make the Customer Content available to Customer and its Active Users through the Subscription Services.
4.7.2. Customer represents and warrants that: (a) Customer owns all rights in and to the Customer Content and/or has the right to grant the licenses granted herein to Phishing Awareness Training, its TPPs, and each of their respective licensees, successors, and assigns; and (b) all Customer Content does and will continue to comply with this Agreement; (c) all Customer Content does and will continue to comply with all applicable laws and regulations; and (d) the Customer Content does not and will not: (i) contain any material which is defamatory, obscene, indecent, abusive, offensive, violent, hateful, inflammatory, or otherwise objectionable; (ii) promote sexually explicit or pornographic material, violence, or discrimination based on race, sex, religion, nationality, disability, sexual orientation, or age; (iii) infringe any patent, trademark, trade secret, copyright, or other intellectual property or other rights of any person; (iv) violate the legal rights (including the rights of publicity and privacy) of others or contain any material that may give rise to any civil or criminal liability under applicable laws or regulations or that otherwise may be in conflict with this Agreement; (v) promote any illegal activity or advocate, promote, or assist in any unlawful act; (vi) intentionally create unreasonable disturbances to any other person or organization; or (vii) contain any: (A) viruses, trojan horses, worms, backdoors, or other software or hardware devices, the effect of which would permit unauthorized access to, or disable, erase, or otherwise harm any computer, systems, software, or content; or (B) time bombs, drop dead devices, or other software or hardware devices designed to disable a computer program automatically with the passage of time or under the positive control of any person, or otherwise deprive Phishing Awareness Training, or its customers/users, of its lawful rights. In addition to Customer’s indemnification obligations contained in this Agreement, Customer will defend and indemnify Phishing Awareness Training and hold it harmless from any and all claims, losses, deficiencies, damages, liabilities, costs, and expenses (including, but not limited to, reasonable attorneys’ fees) incurred by Phishing Awareness Training as a result of any claim by a third party arising from Phishing Awareness Training’s hosting or distribution of the Customer Content as authorized under this Agreement. The procedure for indemnification will be as set forth in the Section covering Customer’s indemnification obligations.
5. Term and Termination.
5.1. Term. This Agreement will be effective as of the Effective Date and will remain in full force and effect until all Quote terms have expired or otherwise have been terminated (a Quote term individually, a “Subscription Term” and all Quote Subscription Terms, collectively, the “Term”).
5.2. Suspension. Phishing Awareness Training may, at its option, suspend Customer’s (or a User’s) use or access to the Subscription Services if: (a) Customer is in breach of the Agreement (including failure to make timely payment in accordance with Section 5.3.1); (b) Phishing Awareness Training believes that such use or access poses a security risk to the Subscription Services or to other Customers or users of the Subscription Services; (c) it is necessary to prevent damage to, or degradation of, the Subscription Services or Phishing Awareness Training’s systems; (d) such use or access violates any law, regulation, court order, or other governmental request; or (e) Phishing Awareness Training suspects fraud or abuse. Phishing Awareness Training will make commercially reasonable efforts to: (i) limit the suspension to the affected portion of the Subscription Services; and (ii) promptly resolve the issues causing the suspension of the Subscription Services. Nothing in this clause limits Phishing Awareness Training’s right to terminate for cause as outlined in this Agreement, or ability to terminate this Agreement in the instance Customer is acting, or has acted, in a manner that violates applicable law.
5.3.1. If Customer fails to pay any invoice when due and does not make such payment within fifteen (15) days after receipt of notice from Phishing Awareness Training of such failure, Phishing Awareness Training may, in its sole discretion, either: (a) suspend delivery or performance of any Quote, or any remaining balance thereof, until such payment is made; or (b) terminate any Quote. In either event, Customer will remain liable to pay for the Subscription Services.
5.3.2. Either party may terminate the Agreement or a Quote upon a material breach of the Agreement or Quote by the other, if the breaching party does not cure the breach within thirty (30) days after receipt of written notice from the other party specifying the breach.
5.3.3. Customer may terminate this Agreement or any applicable Quote at any time and for any reason upon providing thirty (30) days’ written notice to Phishing Awareness Training, provided Customer will not be entitled to reimbursement or relief of its future payment obligations.
5.3.4. Phishing Awareness Training may terminate this Agreement or any applicable Quote at any time and for any reason upon providing thirty (30) days’ written notice to Customer, provided Customer will be entitled to a prorated refund and relief of its future payment obligations for the unused portion of the Subscription Services.
5.4. Effects of Termination.
5.4.1. In the event the Agreement or Quote is terminated by Customer without cause, or by Phishing Awareness Training for cause, Customer will pay for all Subscription Services ordered as of the effective date of termination of the particular Quote. In addition, if a Quote specifies a Subscription Term for which Phishing Awareness Training will provide Subscription Services or Professional Services to Customer (e.g., thirty-six (36) months), and that Quote is terminated by Phishing Awareness Training for cause (including nonpayment) or by Customer without cause, then all future, recurring fees associated with the remaining Subscription Term of such Quote will become immediately due and payable, and will be paid by Customer to Phishing Awareness Training upon the effective date of such termination.
5.4.2. In the event Customer terminates the Agreement or Quote for material breach in accordance with this Agreement, Customer will be issued a refund for any unusable, pre-paid Subscription Services fees for the remainder of the Subscription Term, as applicable, of the affected Subscription Services.
5.4.3. Upon any termination, Customer’s right to use and access the Subscription Services (including any Training Content and other materials provided by Phishing Awareness Training) will immediately cease. Customer must return or destroy all copies (original and duplicates) of such Subscription Services, in accordance with this Agreement. Upon request by Phishing Awareness Training, Customer must provide to Phishing Awareness Training a certification of destruction.
5.4.4. During an applicable Subscription Term, Customer will have the ability to download a copy of its Customer Data contained in the Subscription Services in the form and format as such Customer Data exists in the Subscription Services. Upon termination or expiration of this Agreement or the Term, Phishing Awareness Training and its TPPs will have the right to delete or destroy Customer Data in its possession. Notwithstanding the forgoing, Phishing Awareness Training will be permitted to retain copies of data contained in an archive that: (a) are made in accordance with its security retention (including email retention) policy, a database backup, and/or disaster recovery procedures; or (b) are kept by Phishing Awareness Training for record-keeping, archival, or governance purposes in compliance with Phishing Awareness Training’s document retention policies. To the extent it is not commercially reasonable or technically feasible for Phishing Awareness Training to remove Customer Data from archive or other backup media, Phishing Awareness Training may retain Customer Data on such media in accordance with its retention, backup, or other disaster recovery procedures. Any such retained data will remain subject to the provisions of this Agreement for so long as it is retained.
5.4.5. The exercise of the right to terminate this Agreement and any Quote will be in addition to any other rights or remedies provided in this Agreement, or existing at law or equity, that are not otherwise excluded or limited under this Agreement.
6.1. Confidential Information. During the Term, each party may disclose to the other certain Confidential Information. Notwithstanding the foregoing, Confidential Information does not include information that: (a) is or becomes publicly available through no breach by the Receiving Party of this Agreement; (b) was previously known to the Receiving Party prior to the date of disclosure, as evidenced by contemporaneous written records; (c) was acquired from a third party without any breach of any obligation of confidentiality; or (d) was independently developed by a party hereto without reference to Confidential Information of the other party.
6.2. Protection of Confidential Information. Except as expressly provided in this Agreement, the Receiving Party will not use or disclose any Confidential Information of the Disclosing Party without the Disclosing Party’s prior written consent, except disclosure to, and subsequent uses by: (a) the Receiving Party’s employees or consultants on a need-to-know basis, provided that such employees or consultants have executed written agreements restricting use or disclosure of such Confidential Information that are at least as restrictive as the Receiving Party’s obligations under this Section; and/or (b) as required pursuant to a subpoena or other similar order of any court or government agency provided, however, that the party receiving such subpoena or order will promptly inform the other party in writing and provide a copy thereof (unless notice is precluded by the applicable process), and will only disclose that Confidential Information as necessary to comply with such subpoena or order. Subject to the foregoing nondisclosure and non-use obligations, the Receiving Party will use at least the same degree of care and precaution that it uses to protect the confidentiality of its own Confidential Information and trade secrets of similar nature, but in no event less than reasonable care. Each party acknowledges that due to the unique nature of the other party’s Confidential Information, the Disclosing Party will not have an adequate remedy in money or damages in the event of any unauthorized use or disclosure of its Confidential Information. In addition to any other remedies that may be available in law, in equity, or otherwise, the Disclosing Party shall be entitled to seek injunctive relief to prevent such unauthorized use or disclosure.
6.3. Return and Destruction of Materials. All documents and other tangible objects containing or representing Confidential Information that have been disclosed by either party to the other party, and all summaries, copies, descriptions, excerpts, or extracts thereof that are in the possession of the other party will be, and remain, the property of the Disclosing Party and will be promptly returned to the Disclosing Party. The Receiving Party will use reasonable efforts to promptly delete or destroy all summaries, copies, descriptions, excerpts, or extracts thereof in its possession upon the Disclosing Party’s written request. The Receiving Party will have no obligation to delete or destroy copies that: (a) are contained in an archived computer system backup that were made in accordance with such party’s security, retention, and/or disaster recovery procedures; or (b) are kept by a party for record-keeping, archival, or governance purposes in compliance with such party’s document retention policies. Any such retained Confidential Information will remain subject to the terms and conditions of this Agreement for so long as it is retained. Notwithstanding the return or destruction of the Confidential Information, the Receiving Party will continue to be bound by its confidentiality and other obligations hereunder in accordance with the terms of this Agreement. At the Disclosing Party’s option, the Receiving Party will provide written certification of its compliance with this Section.
7. Data Rights and Protection.
7.1. Customer Data. Customer grants Phishing Awareness Training a non-exclusive, world-wide, royalty-free license to use data and other information including, but not limited to, Personal Data processed or stored through the Subscription Services by Customer or on behalf of Customer (“Customer Data”): (a) in accordance with this Agreement; (b) in accordance with the Customer Privacy Notice; (c) for the provision of the Subscription Services including any Professional Services and Support Services; and/or (d) as may be required by law. “Personal Data” means personally identifiable information as defined by applicable law. Customer will be responsible for obtaining all rights, permissions, and authorizations to provide Customer Data to Phishing Awareness Training for use as contemplated under this Agreement. Except for the limited license granted herein, nothing contained in this Agreement will be construed as granting Phishing Awareness Training any right, title, or interest in the Customer Data.
7.2. Data Security. Customer Data is maintained in accordance with Exhibit B using industry standard administrative, physical, and technical safeguards that are designed to provide for the protection of the security, confidentiality, and integrity of Customer Data. Phishing Awareness Training’s security safeguards include means for preventing access, use, modification, and disclosure of Customer Data by unauthorized individuals. Notwithstanding the foregoing, Customer Data access may be provided: (a) to Phishing Awareness Training and other personnel to the extent necessary to provide the Subscription Services, Professional Services, and Support Services; (b) as compelled by law; (c) as set forth in the Customer Privacy Notice; or (d) as expressly permitted by Customer. Phishing Awareness Training’s Subscription Services currently operate in third party data centers that have been built with high availability, business continuity, and disaster recovery in mind. Phishing Awareness Training’s cloud architecture follows industry standard security practices and is regularly assessed for vulnerabilities and risks. Information about Phishing Awareness Training’s information security practices may be found at Phishing Awareness Training’s Security Page.
7.3. Data Protection. The collection, use, and disclosure of Customer Data in connection with Customer’s use of the Subscription Services is subject to the Customer Privacy Notice. By using the Subscription Services, Customer and each User acknowledge that the Customer Data will be processed in accordance with both the Customer Privacy Notice and this Agreement and may be processed in a country where it was collected, as well as in countries where privacy laws may be different or less stringent, provided Phishing Awareness Training ensures compliance with applicable data protection laws. By using the Subscription Services, or submitting Customer Data via the Subscription Services, Customer expressly consents to such processing. To the extent Customer or User provides Personal Data or other information belonging to a third party, Customer represents and warrants that it has that person’s, or organization’s, or other such third party’s proper consent, or otherwise proper authorization, to do so. In the event Customer enters into a Data Processing Agreement with Phishing Awareness Training, such Data Processing Agreement will govern the data handling practices between the parties and will supersede the language contained in this Section in the event of a conflict.
7.4. Third Party Products. Customer (and its Users, as permitted by Customer) may choose to use or procure other third party products or services in connection with the Subscription Services, including third party integrations or implementation, customization, training, or other services. Customer’s use of any such third party products or services (and the third parties’ use of any of Customer Data) is subject to a separate agreement between Customer and the third party provider. If you enable or use third party products or services with the Subscription Services (including any third party integrations), Phishing Awareness Training will allow the third party providers to access or use Customer Data as required for the interoperation of their products and services with the Subscription Services, provided it is permissible in accordance with the Documentation and this Agreement. This may include transmitting, transferring, modifying, or deleting Customer Data, or storing Customer Data on systems belonging to the third party providers or other third parties. Any third party provider’s use of Customer Data is subject to the applicable agreement between Customer and such third party provider. Phishing Awareness Training is not responsible for any access to, or use of, Customer Data by third party providers or their products or services, or for the security or privacy practices of any third party provider or its products or services. Customer is solely responsible for Customer’s decision to permit any third party provider or third party product or service to use Customer Data. It is Customer’s responsibility to carefully review the agreement between Customer and the third party provider, as provided by the applicable third party provider. AS FURTHER SET FORTH BELOW, PHISHING AWARENESS TRAINING DISCLAIMS ALL LIABILITY AND RESPONSIBILITY FOR ANY THIRD PARTY PRODUCTS OR SERVICES (WHETHER SUPPORT, AVAILABILITY, SECURITY, OR OTHERWISE) OR FOR THE ACTS OR OMISSIONS OF ANY THIRD PARTY PROVIDERS OR VENDORS.
7.5. Protected Health Information, Payment Card Information, and other Sensitive Information. Phishing Awareness Training does not need, nor does Phishing Awareness Training request, any protected health information (“PHI”) governed by the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”). Phishing Awareness Training does not need, nor does Phishing Awareness Training request, any non-public consumer personally identifiable information or financial information governed by the Gramm-Leach-Bliley Act (“GLBA”) or payment card information covered by the Payment Card Industry Data Security Standards (“PCI DSS”) in order to provide Phishing Awareness Training’s Subscription Services. Customer should never disclose, nor allow to be disclosed, PHI or information protected by GLBA, PCI DSS, or other sensitive information to Phishing Awareness Training. Customer acknowledges that Phishing Awareness Training does not take steps to ensure Phishing Awareness Training’s Subscription Services are compliant with HIPAA, GLBA, PCI DSS, or equivalent laws and regulations. All obligations of the aforementioned regulations remain solely with Customer. Phishing Awareness Training’s Subscription Services are not intended for use with minors (as defined by applicable law). Customer is prohibited from authorizing minors, as defined by applicable law, to use or access the Subscription Services, except as otherwise provided in a signed writing by an authorized representative of Phishing Awareness Training.
8.1. Anti-Bribery & Corruption. Customer will not: (a) make any unlawful payments to any government official or employee; (b) make any unlawful payment to any person or unlawfully provide anything of value (whether as property, services, or in any other form) to any person for the purpose of obtaining an improper business advantage; or (c) agree, commit, or otherwise offer to undertake any of the foregoing actions in connection with this Agreement or any related activities.
8.2. International Trade Compliance. The sale, resale, or other disposition of Subscription Services and any related technology or documentation are subject to various economic sanctions, export control laws, and other restrictive trade measures administered by the U.S. and other applicable governments. Because these laws may have extraterritorial effect, Customer will comply with all such measures where applicable, including, without limitation: (a) the Export Administration Act of 1979, as amended (50 U.S.C. §§ 2401–2420) and the Export Administration Regulations, 15 C.F.R. §§ 730–774 (“EAR”); (b) the Arms Export Control Act, 22 U.S.C. § 2778, and the corresponding International Traffic in Arms Regulations (“ITAR”); (c) the economic sanctions laws and regulations enforced by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), 31 C.F.R. §§ 500, et seq., and the U.S. Department of State; and (d) the anti-boycott regulations, guidelines, and reporting requirements under the Export Administration Regulations and Section 999 of the Internal Revenue Service Code. Customer understands and acknowledges that it is solely responsible for complying with such laws whenever applicable. Customer further understands and acknowledges that it will not directly or indirectly export, import, sell, disclose, or otherwise transfer any Subscription Services to any country or party subject to such restrictions, and that it is solely responsible for obtaining any license(s) to export, re-export, or import the Subscription Services that may be required.
8.3. Anti-Money Laundering. Customer represents and warrants that all payments will be made by its legal entity as identified in the Quote or this Agreement (or by its Affiliates) entering into this Agreement and that Customer will not misrepresent or attempt to conceal the identity of the party paying or any recipient(s) of the Subscription Services.
8.4. Background Checks. In accordance with Phishing Awareness Training’s background check policy for its U.S. entity, and to the extent allowed by applicable laws, Phishing Awareness Training has not knowingly employed any persons who, in the past seven (7) years, have been convicted of an offense involving violence, theft, fraud, money laundering, sex crimes, or other offenses that pose an unacceptable level of risk, given the scope of the applicable employment position and Phishing Awareness Training’s business needs.
9. Warranties and Disclaimers.
9.1. Subscription Service Warranties.The Subscription Services will materially conform to the then-current applicable Documentation, and during the applicable Subscription Term, Phishing Awareness Training will not materially decrease the overall functionality of the Subscription Services. Customer must promptly notify Phishing Awareness Training of any breach of this warranty. Customer’s sole and exclusive remedy, and Phishing Awareness Training’s sole and exclusive liability, for a breach of the foregoing warranty will be for Phishing Awareness Training to provide Support Services to repair or replace the relevant Subscription Service within thirty (30) days of such notice of non-conformity. If Phishing Awareness Training is unable to remedy such non-conformity within such period to cure, Customer will be entitled to terminate the relevant Quote and will be issued a refund for any pre-paid Subscription Services fees for the unusable portion of the Subscription Services from the date of Phishing Awareness Training’s receipt of adequate notice of an actual non-conformity. Phishing Awareness Training will not be responsible for any breach of the foregoing warranty resulting from Customer’s abuse or misuse of the Subscription Services or failure to use the Subscription Services as described in this Agreement, including failure to use the Subscription Services in accordance with its operational requirements described in the Documentation, and provided that Customer will not be entitled to any refund or relief of payment obligations if Customer is also in breach of the Agreement at the time of such termination. Customer is required to sufficiently detail the non-conformity in a manner that allows Phishing Awareness Training to properly assist with the remediation. Phishing Awareness Training will not be responsible for delays in remediation caused by Customer’s failure to respond to requests by Phishing Awareness Training. Customer understands that the Subscription Services will only operate in accordance with Phishing Awareness Training’s Documentation, and it is Customer’s responsibility to ensure that the Subscription Services will be fit for its purposes and to ensure that the Subscription Services will be supported by Customer’s technology and business environment.
9.2. Professional Service Warranties. Phishing Awareness Training warrants that Phishing Awareness Training will provide the Professional Services in a professional, workmanlike manner consistent with this Agreement. Customer must notify Phishing Awareness Training of any breach of this warranty within thirty (30) days of discovery of the breach. Customer’s sole and exclusive remedy, and Phishing Awareness Training’s sole and exclusive liability, for a breach of the foregoing warranty will be for Phishing Awareness Training, in its sole discretion, either to use reasonable efforts to re-perform the Professional Services or to terminate the relevant Quote or SOW and issue a refund for the portion of pre-paid Professional Services fees for the non-conforming Services.
9.3. Compliance Warranties. Each party warrants that it will comply with all laws and regulations applicable to its provision or use of the Subscription Services.
9.4. Disclaimers. EXCEPT FOR THE LIMITED WARRANTIES IN THIS SECTION: (A) THE SUBSCRIPTION SERVICES ARE PROVIDED “AS IS,” WITH ALL FAULTS, AND WITHOUT WARRANTIES OF ANY KIND; AND (B) PHISHING AWARENESS TRAINING EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, QUIET ENJOYMENT, QUALITY OF INFORMATION, TITLE, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. PHISHING AWARENESS TRAINING DOES NOT WARRANT THAT THE OPERATION OF THE SUBSCRIPTION SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE OR THAT DEFECTS IN THE SUBSCRIPTION SERVICES WILL BE CORRECTED. NO ORAL OR WRITTEN INFORMATION, MARKETING, OR PROMOTIONAL MATERIALS, OR ADVICE GIVEN BY PHISHING AWARENESS TRAINING OR PHISHING AWARENESS TRAINING’S AUTHORIZED REPRESENTATIVES WILL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF THE EXPRESS WARRANTIES PROVIDED HEREIN. CUSTOMER ACKNOWLEDGES THAT TRAINING CONTENT IS FOR GENERAL INFORMATION PURPOSES ONLY AND THAT PHISHING AWARENESS TRAINING IS NOT A LAW FIRM, NOR DOES IT PROVIDE ANY PROFESSIONAL OR ADVISORY SERVICES. THE INFORMATION PRESENTED IS NOT LEGAL ADVICE AND IS NOT TO BE ACTED ON AS SUCH. THE SUBSCRIPTION SERVICES MAY CONTAIN THE TRADE NAMES OR TRADEMARKS OF VARIOUS THIRD PARTIES AND, IF SO, ANY SUCH USE IS FOR ILLUSTRATIVE AND EDUCATIONAL PURPOSES ONLY. ALL SUBSCRIPTION SERVICES AND COMPANY NAMES ARE PROPERTY OF THEIR RESPECTIVE OWNERS. USE OR DISPLAY OF THE TRADEMARKS DOES NOT IMPLY ANY AFFILIATION WITH, ENDORSEMENT BY, OR ASSOCIATION OF ANY KIND BETWEEN SUCH THIRD PARTIES AND PHISHING AWARENESS TRAINING.
9.5. THE SUBSCRIPTION SERVICES MAY BE USED TO ACCESS AND TRANSFER INFORMATION OVER THE INTERNET. CUSTOMER ACKNOWLEDGES AND AGREES THAT PHISHING AWARENESS TRAINING AND ITS TPPS DO NOT OPERATE OR CONTROL THE INTERNET AND THAT: (A) VIRUSES, WORMS, TROJAN HORSES, OR OTHER UNDESIRABLE DATA OR SOFTWARE; OR (B) UNAUTHORIZED USERS (E.G., HACKERS) MAY ATTEMPT TO OBTAIN ACCESS TO, AND DAMAGE, CUSTOMER DATA, WEBSITES, COMPUTERS, OR NETWORKS. PHISHING AWARENESS TRAINING WILL NOT BE RESPONSIBLE FOR THOSE ACTIVITIES. FURTHER, EACH PARTY DISCLAIMS ALL LIABILITY AND INDEMNIFICATION OBLIGATIONS FOR ANY HARM OR DAMAGES CAUSED BY ANY THIRD PARTY HOSTING PROVIDERS. CUSTOMER IS SOLELY RESPONSIBLE FOR ITS ACTIONS USING FEATURES OR COMPONENTS OF THE SUBSCRIPTION SERVICES THAT INTEGRATE WITH CUSTOMER’S INFORMATION TECHNOLOGY SYSTEMS AND ACKNOWLEDGES THAT PHISHING AWARENESS TRAINING IS NOT RESPONSIBLE FOR: (I) CUSTOMER’S ACTIONS WITHIN ITS SYSTEMS USING SUCH FEATURES OR COMPONENTS; (II) FOR CUSTOMER’S BACKUPS OF ITS INFORMATION TECHNOLOGY SYSTEMS; AND/OR (III) CUSTOMER’S COMPLIANCE WITH APPLICABLE LAW.
10.1. Phishing Awareness Training Indemnity Obligations. Phishing Awareness Training will defend and indemnify Customer from and against any claims filed against Customer arising from a third party that allege Customer’s authorized use of the Subscription Services directly infringe that third party’s valid U.S. patent, copyright, or trade secret rights. Phishing Awareness Training agrees to pay any amounts finally awarded by a court of law or pursuant to a settlement in respect of such third party claim (including, but not limited to, reasonable attorneys’ fees).
10.1.1. Standard Exclusions. Notwithstanding the foregoing, Phishing Awareness Training will have no obligation with respect to any claim of infringement to the extent it is based upon or arises out of Customer’s (including its representatives): (a) use or combination of the Subscription Services with any third-party intellectual property not authorized by Phishing Awareness Training; (b) modification or alteration of the Subscription Services by Customer, or Customer’s representatives, not authorized Phishing Awareness Training or the Documentation; (c) use of the Subscription Services in excess of the permissible uses in the Agreement or the Documentation; (d) specifications or other intellectual property provided by Customer; or (e) failure to implement updates, modifications, or replacements issued by Phishing Awareness Training to the Subscription Services (collectively, the “Excluded Claims”).
10.1.2. Process. The foregoing indemnification obligation of Phishing Awareness Training is contingent upon Customer promptly notifying Phishing Awareness Training in writing of such claim (provided the failure or delay in doing so will not relieve Phishing Awareness Training from any obligations to indemnify Customer except to the extent that such delay or failure materially prejudices the defense of such claim), permitting Phishing Awareness Training sole authority to control the defense or settlement of such claim and providing Phishing Awareness Training reasonable assistance (at Phishing Awareness Training’s sole expense) in connection therewith.
10.1.3. Remedies. If a claim of infringement under this Section occurs, or if Phishing Awareness Training determines a claim is likely to occur, Phishing Awareness Training will have the right, in its sole discretion, to either: (a) procure for Customer the right or license to continue to use the Subscription Services free of the infringement claim; or (b) modify the Subscription Services to make them non-infringing, without loss of material functionality. If neither of these remedies is reasonably available to Phishing Awareness Training, Phishing Awareness Training may, in its sole discretion, immediately terminate this Agreement and related Quote and provide a prorated refund for any prepaid Subscription Services fees for the unusable portion of the Subscription Services for the remainder of the applicable Subscription Term. The provisions of this Section state the sole and exclusive obligations and liability of Phishing Awareness Training and its licensors and suppliers for any claim of intellectual property infringement arising out of or relating to the Subscription Services or this Agreement, and are in lieu of any implied warranties of non-infringement, all of which are expressly disclaimed.
10.2. Customer Indemnity Obligations. Customer will defend and indemnify Phishing Awareness Training from and against any third party claims as a result of any claim by a third party arising from: (a) Customer’s use of the Subscription Services in breach of this Agreement; (b) Phishing Awareness Training’s authorized use of the Customer Data; or (c) the Excluded Claims. Customer agrees to pay any amounts finally awarded by a court of law or pursuant to a settlement in respect of such third party claim (including, but not limited to, reasonable attorneys’ fees). The foregoing indemnification obligation of Customer is contingent upon Phishing Awareness Training promptly notifying Customer in writing of such claim (provided the failure or delay in doing so will not relieve Customer from any obligations to indemnify Phishing Awareness Training except to the extent that such delay or failure materially prejudices the defense of such claim), permitting Customer sole authority to control the defense or settlement of such claim, provided that Customer may not settle any such claim unless it unconditionally releases Phishing Awareness Training of all liability, and providing Customer reasonable assistance (at Customer’s sole expense) in connection therewith.
11. Limitations of Liability.
11.1. 11.1. NEITHER PHISHING AWARENESS TRAINING NOR ITS THIRD PARTY PROVIDERS OR LICENSORS WILL HAVE ANY LIABILITY TO CUSTOMER OR ANY THIRD PARTY FOR ANY LOSS OF PROFITS, SALES, BUSINESS, DATA, OR OTHER INCIDENTAL, CONSEQUENTIAL, OR SPECIAL LOSS OR DAMAGE, INCLUDING EXEMPLARY AND PUNITIVE DAMAGES, OF ANY KIND OR NATURE RESULTING FROM, OR ARISING OUT OF, THIS AGREEMENT, THE SUBSCRIPTION SERVICES, ANY PROFESSIONAL SERVICES, OR ANY SUPPORT SERVICES RENDERED HEREUNDER. THE TOTAL LIABILITY OF PHISHING AWARENESS TRAINING AND ITS TPPs TO CUSTOMER OR ANY THIRD PARTY ARISING OUT OF THIS AGREEMENT, THE SUBSCRIPTION SERVICES, ANY PROFESSIONAL SERVICES, AND ANY SUPPORT SERVICES RENDERED HEREUNDER FOR ANY AND ALL CLAIMS OR TYPES OF DAMAGES WILL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE HEREUNDER BY CUSTOMER FOR THE SUBSCRIPTION SERVICES, ANY PROFESSIONAL SERVICES, AND ANY SUPPORT SERVICES AS TO WHICH THE LIABILITY RELATES, IN THE TWELVE (12) MONTHS PRIOR TO THE FIRST EVENT GIVING RISE TO LIABILITY. Both parties specifically acknowledge that the limitations of liability and the exclusion of certain losses or damages stated in this Section represent the agreed, bargained-for understanding of the parties and are reflected in the applicable Subscription Services fees. The limitation of liability and types of losses or damages stated in this Agreement are intended by the parties to apply, regardless of the form of lawsuit or claim a party may bring, whether in tort (including negligence), contract, or otherwise, and regardless of whether any limited remedy provided for in this Agreement fails of its essential purpose.
12. Miscellaneous Provisions.
12.1. Freedom of Information; Government Public Disclosure Requests. The purpose of the relationship between Phishing Awareness Training and Customer is for Customer to purchase a subscription to the Subscription Services that contain software, content, and information related to internet security awareness training, IT risk management, regulatory compliance, simulation of security attacks, vulnerability assessments, and other subscription service and service offerings. The Subscription Services, and any Confidential Information disclosed, are proprietary to Phishing Awareness Training and are an important business asset of Phishing Awareness Training (the “Proprietary Information”). The Proprietary Information consists of protected financial data, trade secrets, and commercially valuable information that, if disclosed, would harm the competitive position of Phishing Awareness Training. In the event of a statutory public disclosure request for release of Phishing Awareness Training’s Proprietary Information, Customer will ensure that its response to such request will be limited to the minimum necessary, based upon the opinion of counsel. Customer will promptly, but no later than five (5) business days after receiving such request, forward the request to Phishing Awareness Training. Customer will not release any Proprietary Information except pursuant to written instructions by Phishing Awareness Training or a final un-appealable court order.
12.2. Insurance. Phishing Awareness Training will maintain insurance coverages as required by law or regulation, with an insurance carrier or carriers having an A.M. Best rating of A- or better, or an equivalent rating by another rating agency in the following minimum amounts: (a) Comprehensive General Liability – not less than $1,000,000 per occurrence, $2,000,000 general aggregate; (b) Errors and Omissions (including Cyber & Privacy) – not less than $5,000,000 in the aggregate; and (c) Workers Compensation Coverage – as required by applicable law. Upon Customer’s written request, Phishing Awareness Training will furnish a Certificate of Insurance evidencing its insurance coverage to Customer.
12.3. Independent Contractor. Phishing Awareness Training, its personnel, agents, subcontractors, and independent contractors are not employees or agents of Customer and are acting as independent contractors with respect to Customer. Neither party is, nor will be, considered to be an agent; distributor; partner; joint venture; or representative of the other party for any purpose, and neither party will have the authority to act on behalf of, or in the name of, or to bind, the other party in any manner whatsoever.
12.4. Force Majeure. Neither party to this Agreement will be liable for delays or failures in performance under this Agreement (other than for payment obligations or breach of confidentiality requirements) resulting from acts or events beyond the reasonable control of such party, including acts of war, terrorism, acts of God, natural disasters (fires, explosions, earthquakes, hurricane, flooding, storms, explosions, infestations), embargos, riots, sabotage, governmental acts, failure of the Internet, power failures, energy interruptions or shortages, other utility interruptions, or telecommunications interruptions, provided that the delayed party: (a) gives the other party notice of such cause without undue delay; and (b) uses its reasonable commercial efforts to promptly correct such failure or delay in performance.
If the Customer is domiciled in:
Without giving effect to any choice or conflict of law provisions, rules, or principles, the governing law is the laws of:
Venue/Courts with exclusive jurisdiction are:
Additional terms included are:
A country in North America, Central America, South America or Caribbean, other than Brazil. If Customer is domiciled in a geographic region that does not fall into one of the designations described in this table, then Customer will fall into this category.
Florida and controlling United States federal law
Hillsborough County, Florida, U.S.
Notwithstanding the foregoing, the parties will have the right to seek injunctive or pre-judgment relief in any court of competent jurisdiction to prevent or enjoin the misappropriation, misuse, infringement or unauthorized disclosure of its Confidential Information or intellectual property rights. No Federal Acquisition Regulations will be construed to apply to Phishing Awareness Training without Phishing Awareness Training’s written agreement thereto. The United Nations Convention for the International Sale of Goods will not apply to this Agreement. THE PARTIES HERETO WILL AND THEY HEREBY DO WAIVE TRIAL BY JURY IN ANY ACTION, PROCEEDING OR COUNTERCLAIM BROUGHT BY EITHER OF THE PARTIES HERETO AGAINST THE OTHER ON ANY MATTERS WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THIS AGREEMENT.
A country in EMEA
(Middle East, Europe and Africa) other than United Kingdom, South Africa, Germany, Austria and/or Switzerland
Germany, Austria or Switzerland
Federal Republic of Germany
The UN Convention on Contracts for the International Sale of Goods (UNCITRAL) will not apply.
England and Wales
Australia, New Zealand or Oceania
Tokyo District Court
Federative Republic of Brazil
São Paulo, State of São Paulo, Brazil
The parties agree that any subpoena or notice relating to the proceeding will be made by registered correspondence.
England and Wales
A country in the Asia-Pacific region, other than Japan, Australia, New Zealand or Oceania
12.7. Entire Agreement; Construction; Modifications; Severability; Survivability. This Agreement, including any and all exhibits attached hereto, constitutes the entire understanding between the parties related to this Agreement which understanding supersedes and merges all prior understandings and all other proposals, letters, agreements, whether oral or written. The parties further agree that there are no other inducements, warranties, representations, or agreements regarding the matters herein between the parties except as expressly set forth in this Agreement. In the event of any conflict between the body of this Agreement and any Quote, or additional agreements entered into by the parties, the body of this Agreement will control, unless otherwise expressly stated in a signed writing by authorized representatives of the parties. In the event that the Customer or Users are presented with Phishing Awareness Training click-wrap, the contents of this Agreement will supersede any conflicting terms. As used herein, the term “including” will mean “including, without limitation”; the term “includes” as used herein will mean “includes, without limitation”; and terms appearing in the singular will include the plural, and terms appearing in the plural will include the singular. This Agreement may not be modified, amended, or altered in any manner except by a written agreement signed by authorized representatives of the parties, and any attempt at oral modification will be void and of no effect. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of this Agreement will remain in full force and effect. All provisions of this Agreement relating to confidentiality, non-disclosure, intellectual property, disclaimers, limitation of liability, indemnification, payment, and any other provisions which must survive in order to give effect to their meaning will survive the termination of this Agreement. PHISHING AWARENESS TRAINING SPECIFICALLY OBJECTS TO ANY ADDITIONAL TERMS BEING ADDED THROUGH A CUSTOMER-PROVIDED PURCHASE ORDER OR SIMILAR DOCUMENT. IF A PURCHASE ORDER IS REQUIRED BY CUSTOMER, THE PARTIES AGREE THAT ANY ADDITIONAL TERMS CONTAINED THEREIN WILL NOT BECOME PART OF THE AGREEMENT BETWEEN THE PARTIES AND, SPECIFICALLY, THAT THE TERMS OF THIS AGREEMENT WILL SUPERSEDE AND REPLACE ANY AND ALL TERMS IN ANY PURCHASE ORDER.
12.8. Headings; Counterparts; Electronic Signatures. The headings contained in this Agreement are for purposes of convenience, only, and will not affect the meaning or interpretation of this Agreement. This Agreement may be executed in two or more original or facsimile counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. The parties agree that the electronic signature of a party to this Agreement will be as valid as an original signature of such party and will be effective to bind such party to this Agreement. The parties agree that any electronically signed document (including this Agreement) will be deemed: (a) to be “written” or “in writing”; (b) to have been signed; and (c) to constitute a record established and maintained in the ordinary course of business and an original written record when printed from electronic files. Such paper copies or “printouts,” if introduced as evidence in any judicial, arbitral, mediation, or administrative proceeding, will be admissible as between the parties to the same extent and under the same conditions as other original business records created and maintained in documentary form. For purposes hereof, “electronic signature” means a manually-signed original signature that is then transmitted by electronic means; “transmitted by electronic means” means sent via the internet as a “.pdf” (portable document format) or other replicating image attached to an email message; and, “electronically signed document” means a document transmitted by electronic means and containing, or to which there is affixed, an electronic signature.
12.9. Assignment. This Agreement may not be assigned or transferred by either party without the prior written consent of the other party, which consent will not be unreasonably withheld, conditioned, or delayed. Notwithstanding the foregoing, either party may assign its rights and obligations under this Agreement, in whole but not in part, without the other party’s permission, to an Affiliate (provided previously purchased licenses, access rights, and Seats for the Subscription Services will not be assignable or transferable without written consent from Phishing Awareness Training) or in connection with any merger, consolidation, sale of all or substantially all of such assigning party’s assets, or any other similar transaction, provided, that the assignee: (a) is not a direct competitor of the non-assigning party; (b) is capable of fully performing the obligations under this Agreement; and (c) agrees to be bound by the provisions of this Agreement.
12.10. No Waiver. No failure or delay in exercising any right under this Agreement shall constitute a waiver of such right. Except as otherwise provided, remedies provided herein are in addition to, and not exclusive of, any other remedies of a party at law or in equity. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, such provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions shall remain in effect.
12.11. Notices. Except as otherwise specified in this Agreement, all notices related to this Agreement will be in writing and will be effective upon (a) personal delivery, (b) the third business day after mailing, or (c) the day of sending by email. All notices from Customer pertaining to contractual or legal matters (i.e. breach of contract, termination, indemnifiable claims, etc.) must clearly be identified and marked as Legal Notices to the address listed below. Billing-related notices to Customer will be addressed to the relevant billing contact designated by Customer. All other notices to Customer will be addressed to the relevant account administrator designated by Customer.
Notice address for Phishing Awareness Training:
AAG IT Services, Unit 3, Hazel Court, Midland Way, Barlborough, Chesterfield S43 4FD
EXHIBIT A – SERVICE LEVEL AGREEMENT
This Service Level Agreement (“SLA”) is for the provisioning of Support Services required to support and sustain the Subscription Services under the Agreement to which this SLA is attached. This SLA is valid for the Subscription Term specified in the applicable Quote. Termination of the Agreement and/or a Quote will result in termination of this SLA.
Availability & Uptime. Phishing Awareness Training agrees to: (a) make the Subscription Services available to Customer pursuant to the Agreement and the applicable Quote; (b) provide Support Services for the Subscription Services to Customer at no additional charge, and/or upgraded support if purchased; and (c) use commercially reasonable efforts to make the online Subscription Services available 99.9% of the time to be measured annually, excluding any planned downtime, maintenance windows, or any unavailability caused by circumstances beyond Phishing Awareness Training’s reasonable control, such as a force majeure event in accordance with the Agreement.
Customer Requirements. Customer responsibilities and/or requirements in support of this SLA include: (a) Customer’s compliance with the Agreement and the applicable Quote; (b) reasonable availability of Customer’s admin and/or technical representative(s) when resolving a service-related incident or request; and (c) providing proper notice of Phishing Awareness Training’s non-compliance with any Subscription Service or Professional Service warranty in accordance with the Agreement and sufficiently detailing the non-compliance in a manner that enables Phishing Awareness Training to properly assist with the remediation. Phishing Awareness Training will not be responsible for delays in remediation caused by Customer’s failure to respond to requests by Phishing Awareness Training. Customer understands that the Subscription Services will only operate in accordance with Phishing Awareness Training’s Documentation, as defined in the Agreement, and it is Customer’s responsibility to ensure that the Subscription Services will be fit for its purposes and to ensure that the Subscription Services will be supported by Customer’s technology and business environment. Customer understands that Phishing Awareness Training’s Subscription Services are non-mission critical to Customer’s business.
EXHIBIT B – INFORMATION SECURITY REQUIREMENTS
1. Security. Phishing Awareness Training will maintain its information technology environment and Customer Confidential Information secure from unauthorized access by using commercially reasonable efforts and industry standard organizational, physical and technical safeguards, and refrain from implementing changes that materially lower the level of security protection provided as of the Effective Date of the Agreement. Phishing Awareness Training will comply with the minimum security standards set forth in this Exhibit and provide prior notice to Customer of any significant changes to Phishing Awareness Training’s information security policy that would materially lessen the security posture of its information technology environment. Phishing Awareness Training will conduct a SOC-2 Type 2 or such similar or successor audit on an annual basis. Upon request, Phishing Awareness Training will provide Customer with a copy of such audit report and promptly remediate and/or mitigate any non-conformance findings in line with Phishing Awareness Training’s existing vulnerability remediation process. Such audit report will be considered Confidential Information of Phishing Awareness Training.
2. Audit Rights. Not more than once per calendar year during the Term of the Agreement and with at least thirty (30) days’ prior written notice by Customer to Phishing Awareness Training, Customer may, at Customer’s sole expense, audit Phishing Awareness Training to verify compliance with the terms and conditions of this Exhibit. Such audit will be: (i) Completed within two (2) weeks; (ii) Performed during Phishing Awareness Training’s regular business hours in a manner that, in Phishing Awareness Training’s reasonable judgment, does not disrupt or degrade Phishing Awareness Training’s regular business operations and is done in accordance with Phishing Awareness Training’s security and data protection policies; (iii) Limited to Phishing Awareness Training’s facilities and personnel of Phishing Awareness Training in scope of this Agreement; and (iv)Conducted by either Customer’s personnel or, with Phishing Awareness Training’s approval, by an independent third party mutually agreed to by the parties. Customer may create an audit report summarizing the findings and observations of the audit (“Audit Report”). Audit Reports are deemed to be Confidential Information of Phishing Awareness Training and the Customer will not disclose the Audit Reports to third parties except to Customer’s legal counsel and consultants bound by obligations of confidentiality using at least the same degree of care Customer employs in maintaining in confidence its own Confidential Information of a similar nature, but in no event less than a reasonable degree of care. Customer will disclose the results of its audit to Phishing Awareness Training within one week after its completion. Phishing Awareness Training will promptly respond to audit findings and, at Phishing Awareness Training’s expense, discuss the findings with Customer, and if applicable, remediate and/or mitigate any critical or high-risk findings.
3. Technical Security Controls. With respect to Phishing Awareness Training infrastructure that processes, stores, or transmits Customer Confidential Information, Phishing Awareness Training will use the following technical security controls where applicable (and keep them current by incorporating and using all updates commercially available):
a. Network Protection
i. Network based firewalls or equivalent
ii. Network intrusion detection/protection systems
b. Client Protection
i. Malware and malicious code protection are applied to all applicable workstations. No workstations are permitted to store or process customer data
ii. Host-based firewall/intrusion prevention software that blocks activity not directly related to or useful for business purposes
c. System and Software Protection
i. All system and applications must utilize secure authentication and authorization mechanisms
ii. All Phishing Awareness Training-developed applications must be designed and implemented using secure coding standards and design principles (e.g., OWASP)
iii. Operating systems must be hardened appropriately according to industry standard practices
iv. Systems must be inspected for known vulnerabilities and all identified known vulnerabilities must be patched as soon as reasonably possible
i. Phishing Awareness Training will review and update encryption configurations on all systems that utilize encryption. Phishing Awareness Training will utilize only modern industry accepted encryption algorithms, ciphers, modes and key sizes
e. Customer Confidential Information Protection
i. Customer Confidential Information Access: Phishing Awareness Training will ensure that only authorized individuals (based on role) will, on behalf of Phishing Awareness Training, have access to Customer Confidential Information
ii. Customer Confidential Information Storage: Phishing Awareness Training will not process or transfer Confidential Information such to any portable storage medium, unless the storage medium is fully encrypted in accordance with encryption requirements set forth in this Exhibit
iii. Customer Confidential Information Transmission: All transmission or exchange of Customer Confidential Information by Phishing Awareness Training will use secure protocol standards in accordance with encryption requirements set forth in this Exhibit
4. Incidents. If Phishing Awareness Training becomes aware of any unauthorized access to the Customer Confidential Information on systems owned, managed, or subcontracted by Phishing Awareness Training, Phishing Awareness Training will, without undue delay, notify Customer; consult and reasonably cooperate with investigations and potentially required notices; and provide any information reasonably requested by Customer. In the event of a breach or any unauthorized disclosure of Customer Confidential Information, at no additional cost to Customer, Phishing Awareness Training will reasonably cooperate with Customer in investigating the incident including, but not limited to, the provision of system, application, and access logs, conducting forensics reviews of relevant systems, imaging relevant media, and making personnel available for interview. On notice of any actual breach, Phishing Awareness Training will immediately institute appropriate controls to maintain and preserve all electronic evidence relating to the breach in accordance with industry standard practices.
5. Training. Phishing Awareness Training will periodically provide its representatives that manage, or have access to, Customer Confidential Information, including Personal Data, with privacy and security awareness training.