End User License
Agreement

This End User License Agreement you are reading is a legally binding agreement (“Agreement”) between yourself (the “Customer”) and the applicable Cymulate entity: (i) Cymulate Inc., if Customer has its primary office or residence in the United States or Canada; or (ii) Cymulate UK Ltd., if Customer has its primary office or residence in the United Kingdom; or (iii) Cymulate Ltd., if Customer has its primary office or residence in any other location (“Cymulate”). Customer accepts this Agreement by clicking an “agree” or similar button, where this option is provided by Cymulate, or if Customer installs, uses or access the Platform or any part of the Platform. Customer’s agreement to this Agreement also binds its authorized users, company or organization. If you do not agree to the terms of this Agreement, do not accept it. Before accepting this Agreement, please carefully read it. Any terms and conditions included in any ordering document from the Customer (including without limitation, any purchase order) that are inconsistent, conflicting, or additional to the terms in this Agreement will be void. In the event that a commercial terms form or proposal was entered into between the parties (the “Proposal”) which deviates from the terms of this Agreement, the terms of such Proposal and any annexes attached thereto shall prevail.

1. INTRODUCTION
1.1. Access to Cymulate’s remote cloud-based cyber breach and attack simulation platform and any other material (whether written or oral), products, deliverables, reports, and/or services provided by Cymulate under this Agreement, including the Agent (collectively, the “Platform”) is provided to Customer subject to the terms of this Agreement. This Agreement forms a legally binding contract between Customer and Cymulate in relation to Customer’s use of the Platform. The Platform also includes all enhancements, modifications, additions, translations, compilations, or other software delivered to Customer by Cymulate hereunder and any and all printed and electronic documentation provided with the Platform.

1.2. Customer may not use the Platform and may not accept the Agreement if it is an entity barred from receiving the Platform under any applicable law, including the country in which Customer is a resident or from which Customer uses the Platform.

1.3. If Customer agrees to be bound by this Agreement on behalf of its employer or other entity, Customer represents and warrants that it has the full legal authority to bind its employer or such entity to this Agreement. If the Customer does not have the requisite authority, it may not accept the Agreement or use the Platform on behalf of its employer or other entity.

2. THE SERVICES
2.1. Cymulate hereby grants Customer the right, during the term of this Agreement, to install the “Agent(s)” on its organization’s systems and to access and use the Platform for the sole purpose of conducting such cyber security testing simulations solely on Customer’s network, including Customer’s domain, as per the package or modules subscribed to by the Customer, all as detailed in the License Certificate provided to the Customer (the “License Certificate”), or as detailed in the description of the Free Trial (as defined below) to manage its security posture, all subject to Customer’s compliance with the terms and conditions of this Agreement and any technical guidelines as will be provided by Cymulate from time to time. Use of the Platform for any other purpose shall require Cymulate’s prior written consent and shall be subject to such terms (including pricing) to be separately agreed.

2.2. Customer shall not make any copies of the Platform and is expressly prohibited from providing the Platform or any portion thereof, or access thereto, to any third party, except as otherwise agreed to by Cymulate in writing.

2.3. As part of the Platform, Cymulate shall grant the Customer a limited, revocable, non-exclusive, and non-transferable license to install an executable plugin that functions with an Outlook account (“Agent”) on Customer’s organization’s systems for the purposes stated herein, during the term of this Agreement.

2.4. The Customer is solely responsible for providing equipment, infrastructure, servers, and all third-party software and licenses required for running the Platform. The Customer is responsible for all fees charged by third parties related to its access and use of the Platform (e.g., charges by internet service providers). If any IP addresses, hosts, facilities, or web applications are owned or hosted with a service provider or other third party, it will be necessary for the Customer to obtain permission from that party before using the Platform in writing or through e-mail. Customer hereby represents and warrants that it has or will obtain prior to using the Platform any authorizations and consents required in order to use the Platform and shall, if requested by Cymulate, provide written evidence of such consent to Cymulate.

2.5. Cymulate may make modifications, additions, and upgrades to the Platform, as it deems necessary. The terms of this Agreement will apply to any updates that Cymulate may make available to the Customer unless the update is accompanied by a separate license, in which case the terms of that license will govern.

2.6. Cymulate shall make commercially reasonable efforts to ensure that the Platform will be accessible and functional continuously, with the exception of scheduled maintenance periods in accordance with its Service Level Agreement attached hereto as Annex A. The foregoing notwithstanding, Customer acknowledges and agrees that the Platform may be inaccessible or inoperable at any time and for any reason, including without limitation due to equipment malfunctions, unscheduled maintenance or repairs, or causes beyond Cymulate’s reasonable control or not reasonably foreseeable by Cymulate. If the Platform becomes inaccessible or is not fully functional, other than due to scheduled maintenance, Cymulate shall have qualified personnel respond and endeavor to remedy such unavailability or failure of functionality as soon as reasonably possible.

2.7. In using the Platform, the Customer will adhere to all applicable laws regarding the transmission and distribution of information or material over the internet and otherwise adhere to generally accepted internet usage standards.

2.8. During the Customer’s use of the Platform, Customer may use the “Recon Feature”, for the sole purpose of receiving an evaluation of Customer’s cyber security vulnerabilities, based on public information analyzed by Cymulate. Customer may not, in any event, use the Recon Feature to perform an evaluation of a third party. In the event that Customer chooses to use the Recon Feature, it shall have full and sole responsibility over the use of the Recon Feature and its outcomes.

3. ACCOUNT INFORMATION
3.1. During the process of creating an account in order to access the Platform (“Account”), the Customer may be required to select a password (the “Login Information”). The following rules govern the security of the Customer’s Account and Login Information. For the purposes of this Agreement, references to Account and Login Information shall include any account and account information, including usernames, passwords, or security questions, whether or not created for the purpose of using the Platform, that is used to access the Platform:
a. Customer shall not share its Account or Login Information, nor let anyone else access its Account or do anything else that might jeopardize the security of its Account;
b. In the event Customer becomes aware of or reasonably suspects any breach of security, including, without limitation, any loss, theft, or unauthorized disclosure of its Login Information or unauthorized access to its Account, Customer must immediately notify Cymulate and modify its Login Information;
c. Customer is solely responsible for maintaining the confidentiality of the Login Information and will be responsible for all uses of its Login Information, including purchases, whether or not authorized by it;
d. The Customer is responsible for anything that happens through its Account, whether or not such actions were taken by it, including actions taken by third parties for the avoidance of doubt. The Customer, therefore, acknowledges that its Account may be terminated if someone else uses it to engage in any activity that violates this Agreement or is otherwise improper or illegal;
e. The Customer undertakes to monitor its Account and restrict use by any individual barred from accepting this Agreement and/or using the Platform, under the provisions listed herein or any applicable law. Customer shall assume full responsibility for any unauthorized use of the Platform by any of the above mentioned;
f. Cymulate reserves the right to remove or reclaim any usernames at any time and for any reason, including but not limited to claims by a third party that a username violates such a third party’s rights.

3.2. Any personal information Customer provides to Cymulate when creating or updating its Account will be held and used in accordance with Cymulate’s Privacy Policy available at https://www.cymulate.com/privacy-policy (“Privacy Policy”) which constitutes an integral part of this Agreement. The Customer agrees that it will supply accurate and complete information to Cymulate and update that information promptly after it changes. Customer represents and warrants that it has full right and authority to provide Cymulate with the foregoing information, including, without limitation, any third party’s consent (to the extent required under any applicable law).

4. ACCOUNT TERMINATION
4.1. Cymulate may refuse access to the Platform or may terminate Customer’s Account upon a suspected violation of this Agreement, illegal or improper use of Customer’s Account, or illegal or improper use of the Platform or Cymulate’s intellectual property as determined by Cymulate in its sole discretion, by providing Customer prior written notice. Customer may lose its username as a result of Account termination, without responsibility on the part of Cymulate for any damage that may result from the foregoing. If the Customer has more than one Account, Cymulate may terminate all its Accounts. In the event that Cymulate terminates the Customer’s Account, the Customer may not participate nor make use of the Platform again without Cymulate’s express consent. Cymulate reserves the right to refuse to keep accounts and provide access to the Platform or other services to any individual. Customer may not allow entities whose Accounts have been terminated by Cymulate to use its Account. If the Customer believes that any action has been taken against its Account in error, please contact Cymulate at: [email protected]

4.2. In addition to the foregoing, Cymulate may selectively remove or revoke the Customer’s Account benefits. If Customer’s Account, or a particular subscription for the Platform associated with Customer’s Account, is terminated, suspended, and/or if any benefits are selectively removed or revoked from Customer’s Account, no refund will be granted, no benefits will be credited to Customer or converted to cash or other forms of reimbursement, and Customer will have no further access to its Account or benefits associated with its Account or such particular service.

4.3. The Customer is solely responsible for preserving the originals of any content it provides and/or uploads to the Platform. Cymulate does not guarantee that any content will always be available through the Platform. Customers cannot rely upon the Platform as a storage space for such content.

5. FREE TRIAL
5.1. Customer may sign up for a free trial by registering to the Free Trial on Cymulate’s website at: https://cymulate.com/free-trial/ or as detailed in the Proposal (the “Free Trial”).

5.2. The Free Trial will allow the Customer to launch a partial breach and attack simulation for a period of 14 days or such other period of time as detailed in the Proposal (the “Free Trial Period”).

5.3. The Free Trial shall be provided free of charge.

5.4. During the Free Trial Period, either party may terminate this Agreement and the use of the Platform by providing notice to the other party.

5.5. Immediately following the Free Trial Period, in the event that the Customer did not purchase a subscription to continue using the Platform, the Customer’s Account shall automatically terminate.

6. CONSIDERATION
6.1. Except in the event of a Free Trial, the Customer will pay Cymulate a subscription fee for the Platform in accordance with the commercial terms set forth in the Proposal, to the extent executed, or such other order form executed between Cymulate and the Customer (the “Fee”). The Fee shall be paid regardless of actual use of the Platform or any specific vector and shall be non-refundable. Without derogating from the aforesaid, it is hereby clarified that the Customer shall pay the Fee for the entire package detailed in the License Certificate, even if the Customer chose not to use any specific vector(s) offered as part of such package, and that Customer shall not be entitled to replace any vector(s) with another vector(s) offered in the framework of other packages.

6.2. All Fees are net and exclusive of any taxes (including without limitation any Value Added Tax or other sales tax), customs, tariffs, or other charges or fees, except taxes arising from Cymulate’s income, all of which will be added to such prices and fees and borne exclusively by Customer.

6.3. Any payments by Customer that are not paid on or before the date such payments are due under this Agreement shall bear interest of one percent (1%) per month. Interest shall accrue beginning on the first day following the due date for payment and shall be compounded quarterly. In addition, and without derogating from any other remedies available to Cymulate, Cymulate may:
6.3.1. If the non-payment of an invoice continues for sixty (60) days from the invoice date, disconnect the Platform. Customer will not be able to log in to the Account.
6.3.2. If the non-payment of an invoice continues for ninety (90) days from the invoice date, terminate the Agreement. All account data and history shall be permanently deleted.

7. TERM AND TERMINATION
7.1. Except in the event of a Free Trial, the term of this Agreement shall be set in the License Certificate (the “Initial Term”). The Initial Term will be automatically renewed for successive twelve (12) months terms unless either party notifies the other in writing not less than thirty (30) days prior to the expiration of the then current term of its intention to terminate. Both the Initial Term and any renewal term are subject to earlier termination as otherwise provided herein. Either party may choose not to renew this Agreement without cause for any reason. Except as otherwise agreed to by the Parties in writing, the subscription fee shall increase on an annual basis such that upon renewal of the Initial Term and any renewal term thereafter, the subscription fee shall be increased by 7% compared to the subscription fee paid for the prior subscription term. In addition, the number of assets of Customer shall be reevaluated by Cymulate at the end of the Initial Term and any renewal term thereafter, and the subscription fee may be increased by Cymulate to reflect such new number of assets, based on Cymulate’s then current price list. Notwithstanding anything to the contrary, any renewal in which the packages, number of assets, number of vectors or subscription term had decreased from the prior subscription term will result in re-pricing at renewal without regard to the subscription fee paid for the prior subscription term.

7.2. Cymulate may terminate this Agreement immediately upon written notice to Customer if Customer has materially breached this Agreement or if Customer fails to make any timely payment of the Fees in accordance with Section 6.3.

7.3. Upon termination, all rights and obligations pursuant to this Agreement including any licenses shall immediately terminate, except for any provisions of this Agreement that are intended by their nature to survive termination, including Sections 7 (“Term and Termination”), 10 (“Title”), 11 (“Confidential Information”), 12 (“Limitations on use”), 13 (“Disclaimer of Warranties”), 14 (“Limitations on Liability”) and 15 (“General”) hereunder, which shall survive the expiration or termination of this Agreement.

8. INFORMATION COLLECTED
8.1. During the course of the Customer’s use of the Platform, Cymulate may collect information regarding the Customer’s use of the Platform, such as information on which vectors, tools and/or services in the Platform are being used and how they are being used, connection time to Cymulate’s server, etc. Any such information gathered by Cymulate will be used in general, aggregated, non personally identifiable form in connection with evaluating and improving Cymulate’s products and technology and for statistical purposes. Notwithstanding, the use of any of our services shall be subject to Cymulate’s Privacy Policy as shall be updated from time to time.

8.2. Following termination of this Agreement, Customer may, for a period of 30 days, request Cymulate to receive any and all information regarding Customer’s use of the Platform. Following the lapse of the aforesaid 30 days period, and provided that the Customer did not renew its subscription to the Platform, Cymulate will destroy and/or delete any and all such information regarding the Customer’s use of the Platform.

8.3. While Cymulate will not initiate the collection of personal information, as defined under the EU General Data Protection Regulation 2016/679 (“GDPR”), such information may be collected upon the Customer’s registration to create an Account and/or use the Platform.
If this Agreement is with Cymulate Ltd. or Cymulate UK Ltd., notwithstanding Section 3.2 to this Agreement and to the extent that the GDPR will apply on Cymulate’s processing of Customer’s personal information, such information shall be processed pursuant to the provisions set forth under the Data Processing Addendum attached hereto as Annex B.
If this Agreement is with Cymulate Inc., notwithstanding Section 3.2 to this Agreement, such information shall be processed pursuant to the provisions set forth under the Data Processing Addendum attached hereto as Annex C.

8.4. Cymulate may elect to notify relevant third-party software and systems vendors of critical vulnerabilities discovered during performance and use of the Platform. Cymulate will only make such a notification where it reasonably considers that the existence of the vulnerability should be brought to the relevant vendor’s attention to prevent harm to other users of the software or systems and that Cymulate making the notification is generally in the public interest. Cymulate will limit the content of any notification to the existence of the vulnerability in question and will not provide any data or information specific to the Customer or which might reasonably be expected to identify the Customer.

9. CUSTOMIZED SIMULATIONS
9.1. During the Customer’s use of the Platform, the Customer may create custom payloads and/or commands (“Customized Simulations”). In the event that Customer chooses to create Customized Simulations, it shall have full and sole responsibility over the Customized Simulation and its outcomes, and this Section 9 shall apply.

9.2. The Customer shall obtain all consent and permissions required under all applicable laws regarding the creation, edit or use of any Customized Simulation and shall adhere to all laws applicable thereto.

9.3. The Customer shall confirm that the Customized Simulation shall not contain any unapproved third party information nor infringe any third party rights.

9.4. All rights in the Customized Simulations shall remain with the Customer. The Customized Simulations shall not be considered a Cymulate product and/or a part of the Platform.

9.5. The Customer understands that Cymulate does not review nor scan any of the Customized Simulations, does not check and/or confirm whether a Customized Simulation works and/or performs as intended by the Customer nor whether the use of a Customized Simulation may result in any harm to the Customer’s systems, network and/or assets. Customer shall bear all risk and liability with respect to any creation, use, and outcome of a Customized Simulation, even when used through the Platform.

9.6. Customer understands and agrees that Cymulate may need to access, upload and/or copy the Customized Simulations to the Platform, make display adjustments, duplicate for backup, and perform any other technical actions and/or uses required to perform the services, as Cymulate deems fit. Cymulate may, at its sole discretion (however it shall have no obligation to do so), screen, monitor, and/or edit any Customized Simulation, at any time and for any reason, with or without notice, provided, however, that such actions shall not derogate from Customer’s responsibility for the Customized Simulations.

10. TITLE
10.1. All right, title, and interest (including any and all intellectual property rights) in the Platform and any improvements and enhancements thereto shall at all times remain with Cymulate and/or its suppliers and no rights in the Platform or under any Cymulate intellectual property rights is granted to Customer except as explicitly provided in Section 2 above.

10.2. Customer shall not and shall not permit any third party to (a) engage in, cause, or permit the reverse engineering, disassembly, decompilation, or any similar manipulation or attempt to discover the source code of the Platform or any part thereof; (b) bypass, alter or tamper with any security or lockout features of the Platform; (c) create any derivative work or translation of the Platform.

10.3. Nothing in this Agreement gives Customer a right to use any of Cymulate’s trade names, trademarks, service marks, logos, domain names, or other distinctive brand features.

10.4. Customer hereby agrees to provide Cymulate with feedback concerning the functionality and performance of the Platform, from time to time, as reasonably requested by Cymulate, including, without limitation identifying potential errors, enhancements and improvements. Any feedback, suggestions, ideas, or other inputs that Customer provides Cymulate in connection with the Platform may be freely used by Cymulate to improve or enhance its products and, accordingly, all rights to such improvements and/or enhancements, howsoever arising, including as a result of any ideas, inputs or information provided by Customer as aforesaid, shall vest solely with Cymulate.

11. CONFIDENTIAL INFORMATION
The Customer acknowledges and agrees that the Platform was developed at considerable time and expense by Cymulate and contains valuable trade secrets and confidential information of Cymulate.
Each party agrees to maintain the confidentiality of any proprietary information received by it from the other party during, or prior to entering into, this Agreement, including, without limitation, the Platform and any know-how disclosed by Cymulate, trade secrets, and other proprietary information, that a party should know is confidential or proprietary based on the circumstances surrounding the disclosure, including, without limitation, non-public technical and business information and all other information obtained during the use of the Platform as permitted hereunder (“Confidential Information”). The restriction herein shall not apply (i) to the extent that such information is in the public domain or hereafter falls into the public domain through no fault of the receiving party; (ii) rightfully received by the receiving party without any restrictions; (iii) required to be disclosed pursuant to an order of a court of competent jurisdiction or by applicable law or regulation, provided, however, that such disclosure is made only to the extent and solely to the recipient legally required and that the receiving party provides the disclosing party with adequate prior written notice of such legal requirement and with the opportunity to oppose the disclosure or obtain a protective order. Each party agrees not to use said Confidential Information for any purpose except as necessary to fulfill its obligations and exercise its rights under this Agreement. Each party shall protect the secrecy of and avoid disclosure and unauthorized use of the other party’s Confidential Information to the same degree that it takes to protect its own confidential information and in no event less than reasonable care.

To the extent a non-disclosure agreement was executed between the parties prior to execution of this Agreement, the terms of such non-disclosure agreement will continue to apply, and the provisions of this Section 11 shall be in addition to, and not in lieu thereof.

12. LIMITATIONS ON USE
12.1. The Customer agrees to use this Platform solely to perform security assessments and other services provided by Cymulate through Cymulate’s Platform.

12.2. The Customer agrees to use the Platform’s services to make only legitimate actions.

12.3. Customer agrees not to abuse the Platform and/or the Customized Simulations. “Abuse” includes, without limitation, using the Platform to: (i) Defame, harass, stalk, threaten, abuse, or otherwise violate others’ rights as defined by applicable law; (ii) Harm or interfere with the operation of others’ computers and software in any respect, including, without limitation, by uploading, downloading, or transmitting corrupt files or computer viruses; (iii) Violate applicable intellectual property, publicity, or privacy rights, including, without limitation, by uploading, downloading, or transmitting materials or software; (iv) Omit or misrepresent the origin of, or rights in, any file Customer download or upload, including, without limitation, by omitting proprietary language, author identifications, or notices of patent, copyright, or trademark; (v) Transmit, post, or otherwise disclose trade secrets or other confidential or protected proprietary material or information; moreover, provide Cymulate’s proprietary information to any 3rd party (including business entities, vendors, integrators, etc.); (vi) Download or upload files that are unlawful to distribute through the Platform; (vii) Interfere with or disrupt the Platform or servers or networks connected to the Platform, including attempting to interfere with the access of any other user, host or network, including without limitation, overloading, initiating, propagating, participating, directing or attempting any “denial of service” attacks, “spamming”, “crashing”, “flooding” or “mail-bombing” the Platform; (viii) Direct bots, spiders, crawlers, avatars, intelligent agents, or any other automated process at Cymulate’s computer systems or otherwise, create unreasonable load upon any of Cymulate’s computer hardware, network, storage, input/output, or electronic control devices or infrastructure; (ix) Transmit any information or software obtained through the Platform, or copy, create, display, distribute, license, perform, publish, recreate, reproduce, sell, or transfer works deriving from the Platform; (x) Falsely use a password or personal identification number during logging into the Account or misrepresent one’s identity or authority to act on behalf of another; or (xi) Violate this Agreement in any other manner.

13. DISCLAIMER OF WARRANTIES
13.1. The Customer understands that the Platform may use various methods and software tools to probe network resources for security-related information and detect actual or potential security flaws and vulnerabilities. Customer authorizes Cymulate through the Platform to perform such security services (and all such tasks and tests reasonably contemplated by or reasonably necessary to perform the security services or otherwise approved by Customer from time to time). Furthermore, the Customer acknowledges that the use of the Platform and/or a Customized Simulation could possibly result in service interruptions or degradation regarding its systems and accept those risks and consequences.
WITHOUT DEROGATING FROM THE AFORESAID, THE PLATFORM IS PROVIDED “AS IS”. CYMULATE DISCLAIMS ANY AND ALL WARRANTIES, REPRESENTATIONS, AND CONDITIONS RELATING TO THE PLATFORM, OR THE CUSTOMIZED SIMULATIONS, WHETHER EXPRESS, IMPLIED, OR ARISING BY CUSTOM OR TRADE USAGE, OR FROM A COURSE OF DEALING INCLUDING, BUT NOT LIMITED TO, ANY REPRESENTATION, WARRANTY, OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. NO INFORMATION OR ADVICE GIVEN BY CYMULATE OR ITS AGENTS, EMPLOYEES, OR REPRESENTATIVES, WHETHER ORAL OR WRITTEN, SHALL CREATE ANY REPRESENTATION OR WARRANTY.

13.2. The Customer understands that the use of the Platform does not constitute any guarantee or assurance that the security of its systems, networks and assets cannot be breached or are not at risk. Use of the Platform is an assessment as of a particular date. Furthermore, Cymulate is not responsible for updating its Platform, including any reports and assessments provided as part of the Platform, or enquiring as to the occurrence or absence of such, in light of subsequent changes to its systems, networks, and assets after the date of use of the Platform.

14. LIMITATIONS ON LIABILITY
IN NO EVENT SHALL CYMULATE OR ANYONE ON ITS BEHALF BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF BUSINESS OR PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OR DAMAGES INCURRED AS A RESULT OF THE CUSTOMIZED SIMULATIONS OR LOSS OR DAMAGES TO GOODWILL, IN CONNECTION WITH THIS AGREEMENT REGARDLESS OF THE CAUSE AND WHETHER ARISING IN CONTRACT (INCLUDING FUNDAMENTAL BREACH), TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EVEN IF CYMULATE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSS. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN, UNDER NO CIRCUMSTANCES WILL CYMULATE’S TOTAL AND AGGREGATE LIABILITY TO THE CUSTOMER FROM ALL CAUSES OF ACTION OF ANY KIND, INCLUDING WITHOUT LIMITATION CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, BREACH OF WARRANTY, OR OTHERWISE, ARISING OUT OF OR RELATED TO THIS AGREEMENT, EXCEED THE FEES ACTUALLY PAID BY CUSTOMER TO CYMULATE HEREUNDER IN THE 12 MONTHS PRECEDING SUCH CLAIM.

15. GENERAL
15.1. No agency, partnership, joint venture, or employment relationship is or shall be created by virtue of this Agreement.

15.2. Cymulate may assign this Agreement without notice to the Customer. Customer shall not assign this Agreement or its rights hereunder without the prior written consent of Cymulate (such consent may be withheld or conditioned at Cymulate’s sole discretion), and any assignment without Cymulate’s prior written consent shall be null and void and of no effect. Cymulate may perform all obligations to be performed under this Agreement directly or may have some or all obligations performed by its affiliates, contractors, or subcontractors.

15.3. Customer hereby agrees that Cymulate may identify Customer on Cymulate’s website(s) and other marketing materials as a user of the Platform.

15.4. If this Agreement is with Cymulate Ltd., it shall be governed by, interpreted, and enforced in accordance with the laws of the State of Israel, without regard to its conflict of law principles. All actions, suits, or proceedings under or related to this Agreement shall be adjudicated in the courts of Tel-Aviv, Israel, and the Parties hereby irrevocably consent to the exclusive jurisdiction and venue of such courts.

If this Agreement is with Cymulate Inc., it shall be governed by, interpreted, and enforced in accordance with the laws of the State of New York, without regard to its conflict of law principles. All actions, suits, or proceedings under or related to this Agreement shall be adjudicated in the courts of New York, New York, and the Parties hereby irrevocably consent to the exclusive jurisdiction and venue of such courts.

If this Agreement is with Cymulate UK Ltd., it shall be governed by, interpreted, and enforced in accordance with the laws of England and Wales, without regard to its conflict of law principles. All actions, suits, or proceedings under or related to this Agreement shall be adjudicated in the courts of London, England, and the Parties hereby irrevocably consent to the exclusive jurisdiction and venue of such courts.

15.5. All notices permitted or required hereunder shall be in writing and sent by facsimile, personal delivery at the facsimile number, or address as either Party may specify. Notices sent to Cymulate shall be addressed to Cymulate Ltd., 3 Maze St., Tel Aviv, Israel, and to Customer’s address as provided by it, or to the address otherwise designated from time to time in writing by the Parties. Any notices provided will be deemed as being received on the date of transmission of a facsimile, e-mail, or personal delivery unless given outside normal business hours in which case such notice shall be deemed as being given on the next business day, provided that if any such notice fails to reach Customer because the information provided by it or on its behalf to Cymulate is not accurate or up to date, notice shall be deemed sufficiently delivered on the date it was sent.

Should Customer have any questions concerning this Agreement, or if Customer desires to contact Cymulate for any reason, please direct all correspondence to Cymulate Support.

ANNEX A

SERVICE LEVEL AGREEMENT (SLA)

Support Services: Cymulate will provide the following Support Services:

In response to the Customer’s report of any technical problem in the accessibility or performance of a function or component of the Service which is under Cymulate’s control (a “Problem”), Cymulate will make reasonable efforts to provide a fix, workaround, an update or such other solution to such Problem, all at Cymulate’s discretion. Each Problem report must be in English and accompanied by sufficient information to enable Cymulate to verify and resolve the Problem.

Support Services will be provided in accordance with the priority levels and response times set forth below. “Response Time” means that Cymulate will, within the timeframes listed below, report back to the Customer with an assessment or evaluation of the Problem. After responding to the Customer, Cymulate will, taking into consideration the relevant “Priority Level”, aim to provide a solution as quickly as reasonably possible. The Priority Level will be determined by Cymulate at its discretion.

The e-mail address for requesting support is: [email protected]

 

Priority Level Response Time
Critical Level Problemunavailability of the Service.

 

Response within 8 hours.

 

High Level Problem – Service is working, but entire functionalities of the Service are unavailable.

 

Response within 12 hours.

 

Low Level Problem – Problem with little or no influence on the Service functionality, or a request for information or “How To” question.

 

Response within 48 hours.

 

Availability:  Cymulate warrants the Service will be generally available 99% of the time per calendar month, with the exception of any planned downtime of which Cymulate gives 8 hours or more notice and any unavailability caused by circumstances beyond Cymulate’s reasonable control. Cymulate will use commercially reasonable efforts to schedule all planned downtime during the weekend hours and will not be obligated to give notice for such downtime during the weekend hours.

 

ANNEX B

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”) forms part of the End User License Agreement (“Agreement”) and shall apply only to the extent the Agreement was executed with Cymulate Ltd. Or Cymulate UK Ltd., Customer is established within the European Union and/or to the extent that Cymulate Processes Personal Data subject to the GDPR.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended, and including, this Addendum.

1. Definitions
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1. “Applicable Laws” means (a) European Union law or any laws of a member state of the European Union in respect of which Cymulate or Customer is subject to; and (b) any Israeli and other applicable law in respect of which Cymulate or Customer is subject to;

1.2. “SCC” means the applicable model of the standard clauses for the transfer of Personal Data pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN

1.3. “Customer Personal Data” means any Personal Data which may be processed by Cymulate on behalf of Customer, pursuant to or in connection with the Agreement;

1.4. “Data Protection Legislation” means GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as amended from time to time or any regulation replacing the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and the relevant Israeli applicable data protection and privacy law. “EU” means the European Union;

1.5. “EEA” means the European Economic Area. The GDPR applies to the European Economic Area (EEA), which includes all EU countries as well as Iceland, Liechtenstein and Norway;

1.6. “GDPR” means EU General Data Protection Regulation 2016/679;

1.7. “Services” means the cyber security services provided by means of the Platform and the installed Agent as defined in the Agreement;

1.8. “Sub-processor” means any person (excluding an employee of Cymulate or any of its sub-contractors) appointed by or on behalf of Cymulate to Process Personal Data on behalf of Customer in connection with the Agreement;

1.9. “Supervisory Authority” means (a) an independent public authority which is established by a member state of the European Union pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Legislation; and

1.10. “Term” means the term of the Agreement, as defined therein.

1.11. The terms “Controller”, “Processor”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Customer Personal Data
2.1. The parties acknowledge that Customer is the Controller and shall comply with the obligations of a Controller under the GDPR and that Cymulate is acting in the capacity of a Processor. In some circumstances, Customer may additionally or alternatively be a Processor, in which case Customer appoints Cymulate as an authorised sub-processor, which shall not change the obligations of the parties under this Addendum as Cymulate will remain a Processor in any such event. Customer will comply with all obligations applicable to a Controller pursuant to the Data Protection Legislation.

2.2. Cymulate shall process Customer’s Personal Data on the documented instructions of Customer, unless otherwise required by an Applicable Law to which Cymulate is subject. In which case, Cymulate shall notify Customer if, in its opinion, any instruction infringes the Data Protection Legislation or other Union or Member State data protection provisions, unless that law prohibits such notification. Such notification will not constitute a general obligation on the part of Cymulate to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.

2.3. Customer warrants that it has all the necessary rights to give access to and to provide the Personal Data to Cymulate for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in Data Protection Legislation support the lawfulness of the Processing. To the extent required by Data Protection Legislation, Customer is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal basis set forth in the Data Protection Legislation supports the lawfulness of the processing, that any necessary Data subject consents to the Processing are obtained, and for ensuring that a record of such consent is maintained. Should such consent be revoked by a Data Subject, Customer is responsible for communicating the fact of such revocation to Cymulate, and Cymulate will act pursuant to Customer’s instructions as seems appropriate.

2.4. Exhibit 1 to this Addendum sets out certain information as required by Article 28(3) of the GDPR according to which, Personal Data may be processed by Cymulate. Customer warrants it is an accurate reflection of the Processing activities pursuant to this Addendum and the Agreement. The nature of the Processing operations will depend on the scope of the Services and the nature of the Personal Data that Customer provides in its sole discretion, in a manner by which Cymulate finds appropriate to provide the required Services.

3. Confidentiality
Without prejudice to any existing contractual arrangements between the parties, Cymulate shall ensure that any person who it authorizes to Process the Personal Data on its behalf, shall be subject to a duty of confidentiality that shall survive the termination of their employment and/or contractual relationship.

4. Security
Taken into account the measures required by Article 32 of the GDPR, and the state of the art, the costs of implementation and nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural person, Cymulate shall implement appropriate technical and organizational measures to ensure a level of security of the Processing of Personal Data appropriate to the risk. Such measures are detailed under Exhibit 2 and may be updated by Cymulate from time to time, provided that such updates shall not materially decrease the protection of Personal Data for Data Subjects.

5. Sub-processing
5.1. Customer authorizes Cymulate to appoint (and permit each Sub-processor to appoint) Sub-processors listed under Exhibit 3 attached hereto, and in accordance with this Addendum and any restrictions in the Agreement.

5.2. Cymulate shall inform Customer as soon as reasonably practicable of any intended changes concerning the addition or replacement of any of the Authorised Sub-Processors that will Process any Customer Personal Data (“New Sub-Processor”) via its sub-processors’ list available on Cymulate’s website. If, within 14 calendar days of receipt of that notice, Customer notifies Cymulate in writing of any objections made on reasonable grounds, to the proposed appointment of a New Sub-Processor, the parties will endeavour to agree (acting reasonably), without undue delay, the commercially reasonable steps to be taken to ensure that the new Sub-processors is compliant with Article 28(4) of the GDPR. In the absence of a resolution, Cymulate will make commercially reasonable efforts to provide Customer with the same level of service described in the Agreement, without using the objected Sub-Processor to Process Customer’s Personal Data.

5.3. Where the Customer reasonably argues that the risks involved with the Sub-processing activities are still unacceptable, in the context of Article 28(4) and in relation to the appropriate steps, within the requisite time frame, and the parties are unable to resolve the issues within such time frame, Customer’s sole remedy will be to terminate the Agreement.

5.4. With respect to each Sub-processors, Cymulate shall ensure that the Sub-processor is bound by data protection obligations compatible with those of the Data Processor under this Addendum.

6. Data Subject Rights
6.1. Customer shall comply with requests received from Data Subjects to exercise their rights pursuant to Chapter III of the GDPR and the Data Protection Legislation, with regard to accessing Customer’s Personal Data held by Cymulate.

6.2. When Customer is unable to perform according to section 6.1, and therefore requires Cymulate’s assistance, while taking into account the nature of the Processing, Cymulate shall assist Customer, upon Customer’s request and at the Customer’s cost, by using appropriate technical and organizational measures, insofar as this is possible to comply with requests to exercise Data Subject rights, under the Data Protection Legislation.

7. Personal Data Breach
7.1. When Cymulate becomes aware of a data breach that has a material impact on the Processing of Personal Data that is the subject to the Agreement, it shall notify Customer about the data breach. Cymulate shall cooperate with Customer and follow Customer’s reasonable instructions with regard to such data breach, to enable Customer to perform an investigation into the data breach, formulate a correct response and take suitable further steps in respect to the data breach.

7.2. Cymulate shall, at Customer’s cost, cooperate with Customer and take the reasonable commercial steps which shall reasonably be instructed by Customer, to assist in the investigation and mitigation of every occurring Personal Data Breach.

8. Deletion or Return of Customer Personal Data
8.1. Subject to section ‎8.3, Customer may in its discretion by written notice to Cymulate within 30 calendar days of the termination of the Agreement, require Cymulate to (a) return a complete copy of all Customer’s Personal Data to the Customer; and (b) delete all other copies of Customer’s Personal Data Processed by any Sub-processor. Cymulate shall comply with any such written request within 60 calendar days of the termination of the Agreement.

8.2. When relevant, Cymulate shall notify the relevant Sub-processors, who are Processing Personal Data on its behalf, of the termination of the Addendum.

8.3. Each Sub-processor may retain Customer’s Personal Data to the extent and for such period as required by Applicable Laws.

9. Audit Rights
9.1. Subject to section ‎9.2 and ‎9.3, Cymulate shall make available to Customer upon a reasonable request, information which is reasonably necessary to demonstrate compliance with Article 28(3) of the GDPR.

9.2. Where applicable, if Customer is not otherwise satisfied by its audit rights pursuant to the Agreement, Cymulate shall, at the Customer’s costs, allow for audits in relation to the Processing of the Customer’s Personal Data by Cymulate, provided that:
9.2.1. Customer shall give Cymulate a reasonable notice of any audit to be conducted; and
9.2.2. Customer shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) to minimize disruption to Cymulate’s business, in the course of such audit, while such audits shall be conducted during normal working hours.

9.3. Cymulate may object to an auditor mandated by Customer if the auditor is, in Cymulate’s opinion, not suitably qualified or independent, a competitor of Cymulate, or otherwise manifestly unsuitable. In the event of such an objection, Customer shall appoint another auditor or conduct the audit itself.

10. Transfers
10.1. Information may be transferred to third party companies and individuals to facilitate Cymulate’s Services, who are located in a country outside of the EEA. To the extent that Cymulate or its Sub-processors Processes Customer Personal Data in countries outside of the EEA that do not provide an adequate level of data protection, as determined by the European Commission or other adequate authority, the applicable model of the SCC shall apply and shall be incorporated herein upon execution of this Addendum by the parties or Cymulate shall otherwise ensure that the continuity of protection of Personal Data shall be maintained for any respective onward transfers. With respect to each such data transfer, Cymulate shall implement appropriate technical and organizational measures to ensure a level of security, appropriate to the risk, while taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of Processing as well as the likelihood of a risk to the rights and freedoms of natural persons. Annex II of the SCCs shall be deemed completed with the information set out in Exhibit 2 to this Addendum.

10.2. To the extent that Cymulate or Customer are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of a competent jurisdiction to be invalid, Cymulate or Customer agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

 

11. General Terms
11.1. Order of Precedence. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.

11.2. Changes in Data Protection Legislation. If any variation is required to this Addendum as a result of a change in Data Protection Legislation, then either party may provide written notice to the other party of that change of law. The parties shall discuss the change in Data Protection Legislation and negotiate in good faith with a view to agreeing on any necessary variations to this Addendum to address such changes, including any resulting charges.

11.3. Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

EXHIBIT 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Exhibit 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.

Subject Matter and Duration of the Processing of Customer’s Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this Addendum.

The nature and purpose of the Processing of Customer’s Personal Data
Cymulate may process Personal Data for conducting cyber security attack simulations in order to validate Customer’s current security posture. Personal Data shall be processed upon Customer’s choice of registration to create an Account as set forth in the Agreement.

The Categories of Data Subject to whom the Customer’s Personal Data Relates
The categories of Data Subjects will be determined by Customer, including Customer’s customers, employees, suppliers and end-users.

The Obligations and Rights of Customer
The obligations and rights of Customer are set out in the Agreement and this Addendum.

EXHIBIT 2 – SECURITY MEASURES

1.1 Cymulate shall establish a procedure for allowing access to Personal Data and restriction of such access. Cymulate shall ensure that access to Personal Data is strictly limited to those individuals who “need to know” or need to access the Personal Data and as strictly necessary for the purpose of providing the Service and shall keep record of the persons authorized to access the Personal Data subject of the Agreement.

1.2 Cymulate shall take all steps reasonably necessary to ensure the reliability of the individuals who may have access to Personal Data and shall ensure that each such individual (i) is informed of the confidential nature of the Personal Data; (ii) has received appropriate training on his/her responsibilities; and (iii) is subject to written confidentiality undertakings and written security protocols.

1.3 Cymulate shall implement physical measures to ensure that access to the Personal Data is granted only to authorized users.

1.4 Cymulate shall maintain and implement sufficient and appropriate (based on the type of Personal Data and its sensitivity) environmental, physical and logical security measures with respect to the Personal Data and to Cymulate’s system’s infrastructure, data processing system, communication means, terminals, system architecture, hardware and software, in order to prevent penetration and unauthorized access to Customer’s Personal Data or to Customer’s systems or communication lines between Cymulate and Customer.

1.5 Cymulate shall list all components (infrastructure and software) used to Process the Personal Data subject to this Agreement, including computer systems, communication equipment, and software. Cymulate shall use such list to continuously monitor such components and identify weaknesses and risks for the purpose of implementing appropriate security measures to mitigate them.

1.6 Cymulate shall act in accordance with an appropriate written information security policy and working procedures that comply with the security requirements under this Exhibit and Data Protection Legislation, including with respect to backup and recovery procedures. Cymulate shall review its security policies and operating procedures periodically.

1.7 Cymulate shall take measures to record the access to the Personal Data, including monitoring the entry into the facilities where the Personal Data is Processed, as well as any equipment brought in or taken out of such facilities.

1.8 Cymulate shall implement automatic control mechanism for verifying access to systems containing Personal Data, which shall include, inter alia, the user identity, date and time of access attempt, the system component attempted to be accessed, type and scope of access and if access was granted or denied. Cymulate shall periodically monitor the information from the control mechanism, list issues and irregularities and the measures taken to handle them.

1.9 Cymulate will perform security risk surveys to systems containing Personal Data, at least once every 18 months.

1.10 Cymulate will not disclose Personal Data through a public communications network or via the internet, without using industry-standard encryption methods.

 

EXHIBIT 3 – List of Sub-processors

Sub Processor Purpose of Processing
SalesForce

 

Customer Relationship Management Tool
Outreach

 

Sales Engagement Platform
AWS Cloud Computing Services – Infrastructure as a Service. Servers and Databases Production and back up of the Cymulate platform.
Hubspot

 

Inbound Marketing, Sales, and service software
Gong

 

Analyzes our customer-facing interactions across phone, email, and web conferencing

 

ANNEX C

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”) forms part of the End User License Agreement (“Agreement”) and shall apply only to the extent the Agreement was executed with Cymulate Inc., and Cymulate Processes Personal Data on behalf of Customer in the course of the provision of its Services (as defined below).

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended, and including, this Addendum.

1. Definitions
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1. “Applicable Laws” means any applicable law in respect of which Cymulate or Customer is subject to;

1.2. “SCC” means the applicable model of the standard clauses for the transfer of Personal Data pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN

1.3. “Customer Personal Data” means any Personal Data which may be processed by Cymulate on behalf of Customer, pursuant to or in connection with the Agreement;

1.4. “CCPA” means the California Consumer Privacy Act of 2018, including amendments and final regulations.

1.5. “Data Protection Legislation” means any data protection or privacy legislation of which Cymulate or Customer is subject to;

1.6. “Services” means the cyber security services provided by means of the Platform and the installed Agent as defined in the Agreement;

1.7. “Sub-processor” means any person (excluding an employee of Cymulate or any of its sub-contractors) appointed by or on behalf of Cymulate to Process Personal Data on behalf of Customer in connection with the Agreement;

1.8. “Supervisory Authority” means any regulatory authority responsible for the enforcement of Data Protection Legislation;

1.9. “Term” means the term of the Agreement, as defined therein.

1.10. The terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the same meaning as in the EU General Data Protection Regulation 2016/679 (“GDPR”) and shall be interpreted according to the equivalent terms in the applicable Data Protection Legislation.

 

2. Processing of Customer Personal Data

2.1. The parties acknowledge that Customer is the Controller and shall comply with the obligations of a Controller under the Data Protection Legislation and that Cymulate is acting in the capacity of a Processor. In some circumstances, Customer may additionally or alternatively be a Processor, in which case Customer appoints Cymulate as an authorised sub-processor, which shall not change the obligations of the parties under this Addendum as Cymulate will remain a Processor in any such event. Customer will comply with all obligations applicable to a Controller pursuant to the Data Protection Legislation.

2.2. Cymulate shall process Customer’s Personal Data on the documented instructions of Customer, unless otherwise required by an Applicable Law to which Cymulate is subject. In which case, Cymulate shall notify Customer if, in its opinion, any instruction infringes the Data Protection Legislation, unless that law prohibits such notification. Such notification will not constitute a general obligation on the part of Cymulate to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.

2.3. Customer warrants that it has all the necessary rights to give access to and to provide the Personal Data to Cymulate for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in Data Protection Legislation support the lawfulness of the Processing. To the extent required by Data Protection Legislation, Customer is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal basis set forth in the Data Protection Legislation supports the lawfulness of the processing, that any necessary Data subject consents to the Processing are obtained, and for ensuring that a record of such consent is maintained. Should such consent be revoked by a Data Subject, Customer is responsible for communicating the fact of such revocation to Cymulate, and Cymulate will act pursuant to Customer’s instructions as seems appropriate.

2.4. In case Customer is subject to the CCPA, Cymulate certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Data Processed hereunder, nor take any action that would cause any disclosure of Personal Data to or from Cymulate under the Agreement or this DPA to qualify as “selling” such Personal Data under the CCPA. Cymulate will reasonably cooperate and assist Customer with meeting Customer’s CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests, taking into account the nature of Cymulate’s Processing and the information available to Cymulate.

2.5. Exhibit 1 to this Addendum sets out certain information according to which, Personal Data may be processed by Cymulate. Customer warrants it is an accurate reflection of the Processing activities pursuant to this Addendum and the Agreement. The nature of the Processing operations will depend on the scope of the Services and the nature of the Personal Data that Customer provides in its sole discretion, in a manner by which Cymulate finds appropriate to provide the required Services.

3. Confidentiality
Without prejudice to any existing contractual arrangements between the parties, Cymulate shall ensure that any person who it authorizes to Process the Personal Data on its behalf, shall be subject to a duty of confidentiality that shall survive the termination of their employment and/or contractual relationship.

4. Security
Taken into account the measures required the Data Protection Legislation, and the state of the art, the costs of implementation and nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural person, Cymulate shall implement appropriate technical and organizational measures to ensure a level of security of the Processing of Personal Data appropriate to the risk. Such measures are detailed under Exhibit 2 and may be updated by Cymulate from time to time, provided that such updates shall not materially decrease the protection of Personal Data for Data Subjects.

5. Sub-processing
5.1. Customer authorizes Cymulate to appoint (and permit each Sub-processor to appoint) Sub-processors listed under Exhibit 3 attached hereto, and in accordance with this Addendum and any restrictions in the Agreement.

5.2. Cymulate shall inform Customer as soon as reasonably practicable of any intended changes concerning the addition or replacement of any of the Authorised Sub-Processors that will Process any Customer Personal Data (“New Sub-Processor”) via its sub-processors’ list available on Cymulate’s website. If, within 14 calendar days of receipt of that notice, Customer notifies Cymulate in writing of any objections made on reasonable grounds, to the proposed appointment of a New Sub-Processor, the parties will endeavour to agree (acting reasonably), without undue delay, the commercially reasonable steps to be taken to ensure that the new Sub-processors is compliant with the Data Protection Legislation. In the absence of a resolution, Cymulate will make commercially reasonable efforts to provide Customer with the same level of service described in the Agreement, without using the objected Sub-Processor to Process Customer’s Personal Data.

5.3. Where the Customer reasonably argues that the risks involved with the sub-processing activities are still unacceptable, in the context of the requirements of the Data Protection Legislation, and in relation to the appropriate steps, within the requisite time frame, and the parties are unable to resolve the issues within such time frame, Customer’s sole remedy will be to terminate the Agreement.

5.4. With respect to each Sub-processors, Cymulate shall ensure that the Sub-processor is bound by data protection obligations compatible with those of the Data Processor under this Addendum.

6. Data Subject Rights
6.1. Customer shall comply with requests received from Data Subjects to exercise their rights pursuant to the Data Protection Legislation, with regard to accessing Customer’s Personal Data held by Cymulate.

6.2. When Customer is unable to perform according to section 6.1, and therefore requires Cymulate’s assistance, while taking into account the nature of the Processing, Cymulate shall assist Customer, upon Customer’s request and at the Customer’s cost, by using appropriate technical and organizational measures, insofar as this is possible to comply with requests to exercise Data Subject rights, under the Data Protection Legislation.

7. Personal Data Breach
7.1. When Cymulate becomes aware of a data breach that has a material impact on the Processing of Personal Data that is the subject to the Agreement, it shall notify Customer about the data breach. Cymulate shall cooperate with Customer and follow Customer’s reasonable instructions with regard to such data breach, to enable Customer to perform an investigation into the data breach, formulate a correct response and take suitable further steps in respect to the data breach.

7.2. Cymulate shall, at Customer’s cost, cooperate with Customer and take the reasonable commercial steps which shall reasonably be instructed by Customer, to assist in the investigation and mitigation of every occurring Personal Data Breach.

8. Deletion or Return of Customer Personal Data
8.1. Subject to section ‎8.3, Customer may in its discretion by written notice to Cymulate within 30 calendar days of the termination of the Agreement, require Cymulate to (a) return a complete copy of all Customer’s Personal Data to the Customer; and (b) delete all other copies of Customer’s Personal Data Processed by Cymulate. Cymulate shall comply with any such written request within 60 calendar days of the termination of the Agreement.

8.2. When relevant, Cymulate shall notify the relevant Sub-processors, who are Processing Personal Data on its behalf, of the termination of the Addendum.

8.3. Each Sub-processor may retain Customer’s Personal Data to the extent and for such period as required by Applicable Laws.

9. Audit Rights
9.1. Subject to section ‎9.2 and ‎9.3, Cymulate shall make available to Customer upon a reasonable request, information which is reasonably necessary to demonstrate compliance with the Data Protection Legislation.

9.2. Where applicable, if Customer is not otherwise satisfied by its audit rights pursuant to the Agreement, Cymulate shall, at the Customer’s costs, allow for audits in relation to the Processing of the Customer’s Personal Data by Cymulate, provided that:
9.2.1. Customer shall give Cymulate a reasonable notice of any audit to be conducted; and
9.2.2. Customer shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) to minimize disruption to Cymulate’s business, in the course of such audit, while such audits shall be conducted during normal working hours.

9.3. Cymulate may object to an auditor mandated by Customer if the auditor is, in Cymulate’s opinion, not suitably qualified or independent, a competitor of Cymulate, or otherwise manifestly unsuitable. In the event of such an objection, Customer shall appoint another auditor or conduct the audit itself.

10. Transfers
10.1. Information may be transferred internationally to third party companies and individuals to facilitate Cymulate’s Services. To the extent that Cymulate or its Sub-processors are required to conduct such international transfer with respect to Customer Personal Data, Cymulate shall implement appropriate technical and organizational measures to ensure a level of security, appropriate to the risk, while taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of Processing as well as the likelihood of a risk to the rights and freedoms of natural persons.

10.2. When required to assure the data protection of the Personal Data transferred, Cymulate will assure the execution of the applicable model of the SCC, which shall be incorporated herein upon execution of this Addendum. Annex II of the SCCs shall be deemed completed with the information set out in Exhibit 2 to this Addendum.

10.3. To the extent that Cymulate or Customer are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of a competent jurisdiction to be invalid, Cymulate or Customer agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

11. General Terms
11.1. Order of Precedence. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.

11.2. Changes in Data Protection Legislation. If any variation is required to this Addendum as a result of a change in Data Protection Legislation, then either party may provide written notice to the other party of that change of law. The parties shall discuss the change in Data Protection Legislation and negotiate in good faith with a view to agreeing on any necessary variations to this Addendum to address such changes, including any resulting charges.

11.3. Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

 

EXHIBIT 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Exhibit 1 includes certain details of the Processing of Customer Personal Data.

Subject Matter and Duration of the Processing of Customer’s Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this Addendum.

The nature and purpose of the Processing of Customer’s Personal Data
Cymulate may process Personal Data for conducting cyber security attack simulations in order to validate Customer’s current security posture. Personal Data shall be processed upon Customer’s choice of registration to create an Account as set forth in the Agreement.

The Categories of Data Subject to whom the Customer’s Personal Data Relates
The categories of Data Subjects will be determined by Customer, including Customer’s customers, employees, suppliers and end-users.

The Obligations and Rights of Customer
The obligations and rights of Customer are set out in the Agreement and this Addendum.

 

 

EXHIBIT 2 – SECURITY MEASURES

1.11 Cymulate shall establish a procedure for allowing access to Personal Data and restriction of such access. Cymulate shall ensure that access to Personal Data is strictly limited to those individuals who “need to know” or need to access the Personal Data and as strictly necessary for the purpose of providing the Service and shall keep record of the persons authorized to access the Personal Data subject of the Agreement.

1.12 Cymulate shall take all steps reasonably necessary to ensure the reliability of the individuals who may have access to Personal Data and shall ensure that each such individual (i) is informed of the confidential nature of the Personal Data; (ii) has received appropriate training on his/her responsibilities; and (iii) is subject to written confidentiality undertakings and written security protocols.

1.13 Cymulate shall implement physical measures to ensure that access to the Personal Data is granted only to authorized users.

1.14 Cymulate shall maintain and implement sufficient and appropriate (based on the type of Personal Data and its sensitivity) environmental, physical and logical security measures with respect to the Personal Data and to Cymulate’s system’s infrastructure, data processing system, communication means, terminals, system architecture, hardware and software, in order to prevent penetration and unauthorized access to Customer’s Personal Data or to Customer’s systems or communication lines between Cymulate and Customer.

1.15 Cymulate shall list all components (infrastructure and software) used to Process the Personal Data subject to this Agreement, including computer systems, communication equipment, and software. Cymulate shall use such list to continuously monitor such components and identify weaknesses and risks for the purpose of implementing appropriate security measures to mitigate them.

1.16 Cymulate shall act in accordance with an appropriate written information security policy and working procedures that comply with the security requirements under this Exhibit and Data Protection Legislation, including with respect to backup and recovery procedures. Cymulate shall review its security policies and operating procedures periodically.

1.17 Cymulate shall take measures to record the access to the Personal Data, including monitoring the entry into the facilities where the Personal Data is Processed, as well as any equipment brought in or taken out of such facilities.

1.18 Cymulate shall implement automatic control mechanism for verifying access to systems containing Personal Data, which shall include, inter alia, the user identity, date and time of access attempt, the system component attempted to be accessed, type and scope of access and if access was granted or denied. Cymulate shall periodically monitor the information from the control mechanism, list issues and irregularities and the measures taken to handle them.

1.19 Cymulate will perform security risk surveys to systems containing Personal Data, at least once every 18 months.

1.20 Cymulate will not disclose Personal Data through a public communications network or via the internet, without using industry-standard encryption methods.

 

EXHIBIT 3 – LIST OF SUB-PROCESSORS

Sub Processor Purpose of Processing
SalesForce

 

Customer Relationship Management Tool
Outreach

 

Sales Engagement Platform
AWS Cloud Computing Services – Infrastructure as a Service. Servers and Databases Production and back up of the Cymulate platform.
Hubspot

 

Inbound Marketing, Sales, and service software
Gong

 

Analyzes our customer-facing interactions across phone, email, and web conferencing