1.1. Access to Cymulate’s remote cloud-based cyber breach and attack simulation platform and any other material (whether written or oral), products, deliverables, reports and/or services provided by Cymulate under this Agreement including the Agent (collectively, the “Platform“) is provided to Customer subject to the terms of this Agreement. This Agreement forms a legally binding contract between Customer and Cymulate in relation to Customer’s use of the Platform.
The Platform also includes all enhancements, modifications, additions, translations, compilations, or other software delivered to Customer by Cymulate hereunder and any and all printed and electronic documentation provided with the Platform.
1.2. Customer may not use the Platform and may not accept the Agreement if it is an entity barred from receiving the Platform under the laws of the State of Israel or other countries including the country in which Customer is a resident or from which Customer uses the Platform.
1.3. If Customer is agreeing to be bound by this Agreement on behalf of its employer or other entity, Customer represents and warrants that it has full legal authority to bind its employer or such entity to this Agreement. If Customer does not have the requisite authority, it may not accept the Agreement or use the Platform on behalf of its employer or other entity.
2. THE SERVICES
2.1. Subject to Customer’s compliance with the terms and conditions of this Agreement and any technical guidelines as will be provided by Cymulate from time to time, Cymulate hereby grants Customer the right, during the term of this Agreement, to install the “Agent” on its organizations systems and to access and use the Platform for the sole purpose of conducting such number of cyber security testing simulations detailed in the Commercial Terms Form, or as detailed in the description of the Free Trial (as defined below) for Customer’s organizations systems in order to validate its current security posture. Use of the Platform for any other purpose shall require Cymulate’s prior written consent and shall be subject to such terms (including pricing) to be separately agreed.
2.2. Customer shall not make any copies of the Platform and are expressly prohibited from providing the Platform or any portion thereof, or access thereto, to any third party, except as otherwise agreed to by Cymulate in writing.
2.3. As part of the Platform, Cymulate shall grant Customer a limited, revocable, non-exclusive and non-transferable license to install during the term of this Agreement an executable plugin which functions with Outlook account (“Agent“) on Customer’s organizations systems for the purposes stated herein.
2.4. Customer is solely responsible for providing equipment, infrastructure, servers and all third-party software and licenses required for running the Platform. Customer is responsible for all fees charged by third parties related to its access and use of the Platform (e.g., charges by Internet service providers). If any IP addresses, hosts, facilities or web applications are owned or hosted with a service provider or other third party, it will be necessary for Customer to obtain permission from that party before using the Platform in writing or through email. Customer hereby represents and warrants that it has or will obtain prior to using the Platform any authorizations and consents required in order to use the Platform and shall, if requested by Cymulate, provide written evidence of such consent to Cymulate.
2.5. Cymulate may make modifications, additions and upgrades to the Platform, as it deems necessary. The terms of this Agreement will apply to any updates that Cymulate may make available to Customer unless the update is accompanied by a separate license, in which case the terms of that license will govern. Customer agrees that updates may require it to change or update your systems, and may affect its ability to use, access or interact with the Platform.
2.6. Cymulate shall make commercially reasonable efforts to ensure that the Platform will be accessible and functional on a continuous basis, with the exception of scheduled maintenance periods in accordance with its Service Level Agreement attached hereto as Annex A. The foregoing notwithstanding, Customer acknowledges and agrees that the Platform may be inaccessible or inoperable at any time and for any reason, including without limitation due to equipment malfunctions, unscheduled maintenance or repairs, or causes that are beyond Cymulate’s reasonable control or not reasonably foreseeable by Cymulate, including without limitation interruption or failure of telecommunication or digital transmission links, hostile network attacks, network congestion or other failures.
If the Platform becomes inaccessible or is not fully functional, other than due to scheduled maintenance, Cymulate shall have qualified personnel respond and endeavor to remedy such unavailability or failure of functionality as soon as reasonably possible.
2.7. In using the Platform, Customer will adhere to all applicable laws regarding the transmission and distribution of information or material over the Internet and will otherwise adhere to generally accepted standards of Internet usage.
3. ACCOUNT INFORMATION
3.1. During the process of creating an account in order to access the Platform (“Account“), Customer may be required to select a password (the “Login Information“). The following rules govern the security of Customer’s Account and Login Information. For the purposes of this Agreement, references to Account and Login Information shall include any account and account information, including user names, passwords or security questions, whether or not created for the purpose of using the Platform, that are used to access the Platform:
a. Customer shall not share its Account or Login Information, nor let anyone else access its Account or do anything else that might jeopardize the security of its Account;
b. In the event Customer becomes aware of or reasonably suspects any breach of security, including, without limitation any loss, theft, or unauthorized disclosure of its Login Information or unauthorized access to its Account, Customer must immediately notify Cymulate and modify its Login Information;
c. Customer is solely responsible for maintaining the confidentiality of the Login Information, and will be responsible for all uses of its Login Information, including purchases, whether or not authorized by it;
d. Customer is responsible for anything that happens through its Account, whether or not such actions were taken by it, including, for the avoidance of doubt, actions taken by third parties. Customer therefore acknowledges that its Account may be terminated if someone else uses it to engage in any activity that violates this Agreement or is otherwise improper or illegal;
e. Customer undertakes to monitor its Account and restrict use by any individual barred from accepting this Agreement and/or using the Platform, under the provisions listed herein or any applicable law. Customer shall accept full responsibility for any unauthorized use of the Platform by any of the above mentioned;
f. Cymulate reserves the right to remove or reclaim any usernames at any time and for any reason, including but not limited to claims by a third party that a username violates such third party’s rights.
4. ACCOUNT TERMINATION
4.1. Cymulate may refuse access to the Platform or may terminate Customer’s Account without notice for any reason, including, but not limited to, a suspected violation of this Agreement, illegal or improper use of Customer’s Account, or illegal or improper use of the Platform or Cymulate’s intellectual property as determined by Cymulate in its sole discretion. Customer may lose its user name as a result of Account termination, without responsibility on the part of Cymulate for any damage that may result from the foregoing. If Customer has more than one Account, Cymulate may terminate all of its Accounts.
4.2. In addition to the foregoing, Cymulate may selectively remove or revoke benefits associated with Customer’s Account. If Customer’s Account, or a particular subscription for the Platform associated with Customer’s Account, is terminated, suspended and/or if any benefits are selectively removed or revoked from Customer’s Account, no refund will be granted, no benefits will be credited to Customer or converted to cash or other forms of reimbursement, and Customer will have no further access to its Account or benefits associated with its Account or such particular service.
4.3. Customer acknowledges that Cymulate is not required to provide it notice before suspending or terminating its Account or selectively removing or revoking benefits associated with its Account. In the event that Cymulate terminates Customer’s Account, Customer may not participate nor make use of the Platform again without Cymulate’s express consent. Cymulate reserves the right to refuse to keep Accounts for, and provide access to the Platform or other services to, any individual. Customer may not allow entities whose Accounts have been terminated by Cymulate to use its Account. If Customer believe that any action has been taken against its Account in error, please contact Cymulate at: [email protected]
4.4. Customer is solely responsible to preserve the originals of any content it provides and/or uploads to the Platform. Cymulate does not guarantee that any content will always be available through the Platform. Customer cannot rely upon the Platform as a storage space for such content.
5. FREE TRIAL
5.1. Customer may sign up for free trial by checking such option in the Commercial Terms Form or by registering to the Free Trial on Cymulate’s website at: https://app.cymulate.com/free-assessment (the “Free Trial”).
5.2. The Free Trial will allow Customer to launch a partial breach and attack simulation for a period of 14 days or such other period of time as detailed in the Commercial Terms Form (the “Free Trial Period”).
5.3. The Free Trial shall be provided free of charge.
5.4. During the Free Trial Period, either party may terminate this Agreement and the use of the Platform by providing a notice to the other party.
5.5. Immediately following the Free Trial Period, in the event that the Customer did not purchase a subscription to continue using the Platform, Customer’s Account shall automatically terminate.
6.1. Except in the event of a Free Trial, Customer will pay Cymulate a subscription fees for the Platform in accordance with the commercial terms set forth in the Commercial Terms Form (“Fees“). The Fees shall be paid regardless of actual use of the Service and shall be non-refundable.
6.2. All prices and fees indicated in the Commercial Terms Form are net and exclusive of any taxes (including without limitation any Value Added Tax or other sales tax), customs, tariffs or other charges or fees, except taxes arising from Cymulate’s income, all of which will be added to such prices and fees and borne exclusively by Customer.
6.3. Any payments by Customer that are not paid on or before the date such payments are due under this Agreement shall bear interest of one percent (1%) per month. Interest shall accrue beginning on the first day following the due date for payment and shall be compounded quarterly. In addition, and without derogating from any other remedies available to Cymulate, Cymulate may:
6.3.1. If the non-payment of an invoice continues for a period of sixty (60) days from the date of invoice – disconnect the Platform. Customer will not be able to login to the account and analytics and alerts will be disabled.
6.3.2. If the non-payment of an invoice continues for a period of ninety (90) days from the date of invoice – terminate the Agreement. All account data and history shall be permanently deleted.
7. TERM AND TERMINATION
7.1. Except in the event of a Free Trial, the term of this Agreement shall be set in the Commercial Terms Form (the “Initial Term”). The Initial Term will be automatically renewed for successive twelve (12) months terms unless either party notifies the other in writing not less than thirty (30) days prior to the expiration of the then current term of its intention to terminate. Both the Initial Term and any renewal term are subject to earlier termination as otherwise provided herein. Either party may choose not to renew this Agreement without cause for any reason.
7.2. Cymulate may terminate this Agreement immediately upon written notice to Customer if Customer have materially breached this Agreement or if Customer fails to make any timely payment of the Fees.
7.3. Upon termination, all rights and obligations pursuant to this Agreement including any licenses shall immediately terminate, except for any provisions of this Agreement that are intended by their nature to survive termination, including Sections 7 (“Term and Termination”), 9 (“Title”), 10 (“Confidential Information”), 11 (“Limitations on use”), 12 (“Disclaimer of Warranties”), 13 (“Limitations on Liability”), 14 (“Indemnification”) and 15 (“General”) hereunder, which shall survive the expiration or termination of this Agreement.
8. INFORMATION COLLECTED
8.2. While Cymulate will not initiate the collection of personal information, as defined under the EU General Data Protection Regulation 2016/679 (“GDPR”), such information may be collected upon Customer’s choice of registration to create an Account, to be provided with access to use the Platform. Notwithstanding Section 3.2 to this Agreement and to the extent that the GDPR will apply on Cymulate’s processing of Customer’s personal information, such information shall be processed pursuant to the provisions set forth under the Data Processing Addendum attached hereto as Annex B.
8.3. Cymulate may elect to notify relevant third-party software and systems vendors of the existence of critical vulnerabilities discovered during performance and use of the Platform. Cymulate will only make such a notification where it reasonably considers that the existence of the vulnerability should be brought to the relevant vendor’s attention to prevent harm to other users of the software or systems, and that Cymulate making the notification is generally in the public interest. Cymulate will limit the content of any notification to the existence of the vulnerability in question, and will not provide any data or information specific to Customer or which might reasonably be expected to identify Customer.
9.1. All right, title and interest (including any and all intellectual property rights) in the Platform and any improvements and enhancements thereto shall at all times remain with Cymulate and/or its suppliers and no rights in the Platform or under any Cymulate intellectual property rights is granted to Customer except as explicitly provided in Section 2 above.
9.2. Customer shall not and shall not permit any third party to: (a) engage in, cause, or permit the reverse engineering, disassembly, decompilation or any similar manipulation or attempt to discover the source code of the Platform or any part thereof; (b) bypass, alter, or tamper with any security or lockout features of the Platform; (c) create any derivative work or translation of the Platform.
9.3. Nothing in this Agreement gives Customer a right to use any of Cymulate’s trade names, trademarks, service marks, logos, domain names, or other distinctive brand features.
9.4. Customer hereby agrees to provide Cymulate with feedback concerning the functionality and performance of the Platform, from time to time, as reasonably requested by Cymulate, including, without limitation identifying potential errors, enhancements and improvements. Any feedback, suggestions, ideas or other inputs that Customer provides Cymulate in connection with the Platform may be freely used by Cymulate to improve or enhance its products and, accordingly, all rights to such improvements and/or enhancements, howsoever arising, including as a result of any ideas, inputs or information provided by Customer as aforesaid, shall vest solely with Cymulate.
10. CONFIDENTIAL INFORMATION
Customer acknowledges and agrees that the Platform was developed at considerable time and expense by Cymulate and contains valuable trade secrets and confidential information of Cymulate. Accordingly, Customer agrees to maintain the confidentiality of any proprietary information received by Customer during, or prior to entering into, this Agreement, including, without limitation, the Platform and any know-how disclosed by Cymulate, trade secrets and other proprietary information, that Customer should know is confidential or proprietary based on the circumstances surrounding the disclosure, including, without limitation, non-public technical and business information and all other information obtained during the use of the Platform as permitted hereunder (“Confidential Information“). The restriction herein shall not apply to the extent that such information is in the public domain or hereafter falls into the public domain through no fault of Customer. Customer agrees not to use said Confidential Information for any purpose except as necessary to fulfill your obligations and exercise your rights under this Agreement. Customer shall protect the secrecy of and avoid disclosure and unauthorized use of Cymulate’s Confidential Information to the same degree that it takes to protect your own confidential information and in no event less than reasonable care.
11. LIMITATIONS ON USE
Customer agrees to use this Platform solely to perform security assessments and other services provided by Cymulate through Cymulate’s Platform.
Customer agrees to use the Platform’s services to make only legitimate actions.
Customer agrees to not abuse the Platform. “Abuse” includes, without limitation, using the Platform to:
11.1. Defame, harass, stalk, threaten, abuse or otherwise violate others’ rights as defined by applicable law.
11.2. Harm or interfere with the operation of others’ computers and software in any respect, including, without limitation, by uploading, downloading or transmitting corrupt files or computer viruses.
11.3. Violate applicable intellectual property, publicity or privacy rights, including, without limitation, by uploading, downloading or transmitting materials or software.
11.4. Omit or misrepresent the origin of, or rights in, any file Customer download or upload, including, without limitation, by omitting proprietary language, author identifications, or notices of patent, copyright or trade-mark.
11.5. Transmit, post, or otherwise disclose trade secrets, or other confidential or protected proprietary material or information, moreover, provide Cymulate’s proprietary information to any 3rd party (including: business entities, vendors, integrators etc.).
11.6. Download or upload files that are unlawful to distribute through the Platform.
11.7. Interfere with or disrupt the Platform or servers or networks connected to the Platform, including attempting to interfere with the access of any other user, host or network, including without limitation, overloading, initiating, propagating, participating, directing or attempting any “denial of service” attacks, “spamming”, “crashing”, “flooding” or “mail-bombing” the Platform.
11.8. Direct bots, spiders, crawlers, avatars, intelligent agents or any other automated process at Cymulate’s computer systems or otherwise, create unreasonable load upon any of Cymulate’s computer hardware, network, storage, input/output or electronic control devices or infrastructure.
11.9. Transmit any information or software obtained through the Platform, or copy, create, display, distribute, license, perform, publish, recreate, reproduce, sell, or transfer works deriving from the Platform.
11.10. Falsely use a password or personal identification number during logging into the Account or misrepresent one’s identity or authority to act on behalf of another.
11.11. Violate this Agreement in any other manner.
12. DISCLAIMER OF WARRANTIES
12.1. Customer understands that the Platform may use various methods and software tools to probe network resources for security-related information and to detect actual or potential security flaws and vulnerabilities. Customer authorizes Cymulate through the Platform to perform such security services (and all such tasks and tests reasonably contemplated by or reasonably necessary to perform the security services or otherwise approved by Customer from time to time). Furthermore, Customer acknowledges that use of the Platform could possibly result in service interruptions or degradation regarding its systems and accept those risks and consequences. Customer further acknowledges that it is its responsibility to restore network computer systems to a secure configuration after using the Platform.
WITHOUT DEROGATING FROM THE AFORESAID, THE PLATFORM IS PROVIDED “AS IS”. CYMULATE DISCLAIMS ANY AND ALL WARRANTIES, REPRESENTATIONS, AND CONDITIONS RELATING TO THE PLATFORM, WHETHER EXPRESS, IMPLIED OR ARISING BY CUSTOM OR TRADE USAGE, OR FROM A COURSE OF DEALING INCLUDING, BUT NOT LIMITED TO, ANY REPRESENTATION, WARRANTY, OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. NO INFORMATION OR ADVICE GIVEN BY CYMULATE OR ITS AGENTS, EMPLOYEES, OR REPRESENTATIVES, WHETHER ORAL OR WRITTEN, SHALL CREATE ANY REPRESENTATION OR WARRANTY.
12.2. Customer understands that use of the Platform does not constitute any guarantee or assurance that security of its systems, networks and assets cannot be breached or are not at risk. Use of the Platform is an assessment, as of a particular date. Furthermore, Cymulate is not responsible for updating its Platform including any reports and assessments provided as part of the Platform, or enquiring as to the occurrence or absence of such, in light of subsequent changes to its systems, networks and assets after the date of use of the Platform.
13. LIMITATIONS ON LIABILITY
IN NO EVENT SHALL CYMULATE OR ANYONE ON ITS BEHALF BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL OR PUNITIVE DAMAGES OF ANY KIND, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF BUSINESS OR PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION OR LOSS OR DAMAGES TO GOODWILL, IN CONNECTION WITH THIS AGREEMENT REGARDLESS OF THE CAUSE AND WHETHER ARISING IN CONTRACT (INCLUDING FUNDAMENTAL BREACH), TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF CYMULATE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSS. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN, UNDER NO CIRCUMSTANCES WILL CYMULATE’S TOTAL AND AGGREGATE LIABILITY TO CUSTOER FROM ALL CAUSES OF ACTION OF ANY KIND, INCLUDING WITHOUT LIMITATION CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, BREACH OF WARRANTY, OR OTHERWISE, ARISING OUT OF OR RELATED TO THIS AGREEMENT, EXCEED US $100.
To the maximum extent permitted by law, Customer agrees to defend, indemnify and hold harmless Cymulate, its affiliates and their respective directors, officers, employees and agents from and against any and all claims, actions, suits or proceedings, as well as any and all losses, liabilities, damages, costs and expenses (including reasonable attorney’s fees) arising out of or accruing from (a) its use of the Platform, and (b) any non-compliance with this Agreement and/or breach of Customer’s representations.
15.1. No agency, partnership, joint venture or employment relationship is or shall be created by virtue of this Agreement.
15.2. Cymulate may assign this Agreement without notice to Customer. Customer shall not assign this Agreement or its rights hereunder without the prior written consent of Cymulate (such consent may be withheld or conditioned at Cymulate’s sole discretion) and any assignment without Cymulate’s prior written consent shall be null and void and of no effect. Cymulate may perform all obligations to be performed under this Agreement directly or may have some or all obligations performed by its affiliates, contractors or subcontractors.
15.3. Cymulate may make changes to the Agreement as it distributes new versions of the Platform. When these changes are made, Cymulate will make a new version of the Agreement available on the website where the Platform is made available.
15.4. Customer hereby agrees that Cymulate may identify Customer on Cymulate’s website(s) and other marketing materials as a user of the Platform.
15.5. This Agreement shall be governed by, interpreted and enforced in accordance with the laws of the State of Israel, without regard to its conflict of law principles. All actions, suits or proceedings under or related to this Agreement shall be adjudicated in the courts of Tel-Aviv, Israel, and the Parties hereby irrevocably consent to the exclusive jurisdiction and venue of such courts.
15.6. All notices permitted or required hereunder shall be in writing and shall be sent by facsimile, or personal delivery at the facsimile number, or address as either Party may specify. Notices sent to Cymulate shall be addressed to Cymulate Ltd., 2 Nim St., Rishon Le Tzion, Israel and to Customer’s address as provided by it, or to the address otherwise designated from time to time in writing by the Parties. Any notices provided will be deemed as being received on the date of transmission of facsimile, e-mail, or personal delivery unless given outside normal business hours in which case such notice shall be deemed as being given on the next business day, provided that if any such notice fails to reach Customer because the information provided by it or on its behalf to Cymulate is not accurate or up to date, notice shall be deemed sufficiently delivered on the date it was sent.
Should Customer have any questions concerning this Agreement, or if Customer desires to contact Cymulate for any reason, please direct all correspondence to Cymulate Support ([email protected]).
SERVICE LEVEL AGREEMENT (SLA)
Support Services: Cymulate Ltd. (“Cymulate”) will provide the following Support Services:
In response to customer’s report of any technical problem in the accessibility or performance of a function or component of the Service which is under Cymulate’s control (a “Problem”), Cymulate will make reasonable efforts to provide a fix, work-around, an update or such other solution to such Problem, all at Cymulate’s discretion. Each report of a Problem must be accompanied by information sufficient to enable Cymulate to verify and resolve the Problem.
Support Services will be provided in accordance with the priority levels and response times set forth below. “Response Time” means that Cymulate will, within the timeframes listed below, report back to the customer with an assessment or evaluation of the Problem. After responding to customer, Cymulate will, taking into consideration the relevant “Priority Level”, aim to provide a solution as quickly as reasonably possible. The Priority Level will be determined by Cymulate at its discretion.
The email address for requesting support is: [email protected]
Critical Level Problem – unavailability of the Service.
Response within an average of 8 hours via telephone or e-mail.
High Level Problem – Service is working, but entire functionalities of the Service are unavailable.
Response within an average of 12 hours via telephone or e-mail.
Low Level Problem – Problem with little or no influence on the Service functionality, or a request for information or “How To” question.
E-mail response within 48 hours.
Availability: Cymulate warrants the Service will be generally available 99% of the time per calendar month, with the exception of any planned downtime of which Cymulate gives 8 hours or more notice and any unavailability caused by circumstances beyond Cymulate’s reasonable control. Cymulate will use commercially reasonable efforts to schedule all planned downtime during the weekend hours and will not be obligated to give notice for such downtime during the weekend hours.
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) forms part of the Terms and Conditions (“Agreement”) and shall apply only to the extent Customer is established within the European Union and/or to the extent that Cymulate Processes Personal Data of Data Subjects, located in the European Union on behalf of Customer.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended, and including, this Addendum.
1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 “Applicable Laws” means (a) European Union law or any laws of a member state of the European Union in respect of which Cymulate or Customer is subject to; and (b) any Israeli and other applicable law in respect of which Cymulate or Customer is subject to;
1.1.2 “Contracted Processor” means Cymulate or a Sub-processor;
1.1.3 “Customer Personal Data” means any Personal Data which may be processed by a Contracted Processor on behalf of a Customer, pursuant to or in connection with the Agreement;
1.1.4 “Data Protection Legislation” means GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as amended from time to time or any regulation replacing the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and the relevant Israeli applicable law.
1.1.5 “EU” means the European Union;
1.1.6 “EEA” means the European Economic Area. The GDPR applies to the European Economic Area (EEA), which includes all EU countries as well as Iceland, Liechtenstein and Norway;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Services” means the cyber security services provided by means of the Platform and the installed Agent as defined in the Agreement;
1.1.9 “Sub-processor” means any person (excluding an employee of Cymulate or any of its sub-contractors) appointed by or on behalf of Cymulate to Process Personal Data on behalf of Customer in connection with the Agreement;
1.1.10 “Supervisory Authority” means (a) an independent public authority which is established by a member state of the European Union pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Legislation; and
1.1.11 “Term” means the term of the Agreement, as defined therein.
1.2 The terms “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, and “Processing” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Customer Personal Data
2.1 The parties acknowledge that Customer is the Controller and shall comply with the obligations of a Controller under the GDPR and that Cymulate is acting in the capacity of a Processor. In some circumstances, Customer may additionally or alternatively be a Processor, in which case Customer appoints Cymulate as an authorised sub-processor, which shall not change the obligations of the parties under this Addendum as Cymulate will remain a Processor in any such event. Customer will comply with all obligations applicable to a Controller pursuant to the Data Protection Legislation.
2.2 Cymulate shall process Customer’s Personal Data on the documented instructions of Customer, unless otherwise required by an Applicable Law to which Cymulate is subject. In which case, Cymulate shall notify Customer if, in its opinion, any instruction infringes the Regulation or other Union or Member State data protection provisions, unless that law prohibits such notification. Such notification will not constitute a general obligation on the part of Cymulate to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.
2.3 Customer warrants that it has all the necessary rights to give access to and to provide the Personal Data to Cymulate for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in EU Data Protection Law support the lawfulness of the Processing. To the extent required by EU Data Protection Law, Customer is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal bases set forth in the EU Data Protection Law supports the lawfulness of the processing, that any necessary Data subject consents to the Processing are obtained, and for ensuring that a record of such consent is maintained. Should such consent be revoked by a Data Subject, Customer is responsible for communicating the fact of such revocation to Cymulate, and Cymulate will act pursuant to Customer’s instructions as seems appropriate.
2.4 Appendix 1 to this Addendum sets out certain information as required by Article 28(3) of the GDPR according to, Personal Data may be processed by Cymulate. Customer warrants it is an accurate reflection of the Processing activities pursuant to this Addendum and the Agreement. The nature of the Processing operations will depend on the scope of the Services and the nature of the Personal Data that Customer provides in its sole discretion, in a manner by which Cymulate finds appropriate to provide the required Services.
3.1 Without prejudice to any existing contractual arrangements between the parties, Cymulate shall ensure that any person who it authorises to Process the Personal Data on its behalf, shall be subject to a duty of confidentiality that shall survive the termination of their employment and/or contractual relationship.
4.1 Taken into account the measures required by Article 32 of the GDPR, and the state of the art, the costs of implementation and nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural person, Cymulate shall implement appropriate technical and organizational measures to ensure a level of security of the Processing of Personal Data appropriate to the risk. Such measures may be updated by Cymulate from time to time, provided that such updates shall not materially decrease the protection of Personal Data for Data Subjects.
5.1 Customer authorises Cymulate to appoint (and permit each Sub-processor to appoint) Sub-processors listed under Appendix 2 attached hereto, and in accordance with this Addendum and any restrictions in the Agreement.
5.2 Cymulate shall inform Customer as soon as reasonably practicable of any intended changes concerning the addition or replacement of any of the Authorised Sub-Processors that will Process any Customer Personal Data (“New Sub-Processor”). If, within 14 calendar days of receipt of that notice, Customer notifies Cymulate in writing of any objections made on reasonable grounds, to the proposed appointment of a New Sub-Processor, the parties will endeavour to agree (acting reasonably), without undue delay, the commercially reasonable steps to be taken to ensure that the new Sub-processors is compliant with Article 28(4) of the GDPR. In the absence of a resolution, Cymulate will make commercially reasonable efforts to provide Customer with the same level of service described in the Agreement, without using the objected Sub-Processor to process Company’s Personal Data.
5.3 Where the Customer reasonably argues, that the risks involved with the sub-processing activities are still unacceptable, in the context of Article 28(4) and in relation to the appropriate steps, within the requisite time frame, and the parties are unable to resolve the issues within such time frame, Customer’s sole remedy will be to terminate the Agreement.
5.4 With respect to each Sub-processors, Cymulate shall ensure that the sub-processor is bound by data protection obligations compatible with those of the Data Processor under this Addendum.
6. Data Subject Rights
6.1 Customer shall comply with requests received from Data Subjects to exercise their rights pursuant to Chapter III of the GDPR, with regard to accessing Customer’s Personal Data held by Customer.
6.2 When Customer is unable to perform according to section 6.1, and therefore requires Cymulate’s assistance, while taking into account the nature of the Processing, Cymulate shall assist Customer, upon Customer’s request and at the Customer’s cost, by using appropriate technical and organizational measures, insofar as this is possible to comply with requests to exercise Data Subject rights, under the Data Protection Legislation.
7. Personal Data Breach
7.1 When Cymulate becomes aware of a data breach that has a material impact on the Processing of Personal Data that is the subject to the Agreement, it shall notify Customer about the data breach. Cymulate shall cooperate with Customer and follow Customer’s reasonable instructions with regard to such data breach, to enable Customer to perform an investigation into the data breach, formulate a correct response and take suitable further steps in respect to the data breach.
Cymulate shall, at Customer’s cost, cooperate with Customer and take the reasonable commercial steps which shall reasonably be instructed by Customer, to assist in the investigation and mitigation of every occurring personal data breach.
8. Deletion or Return of Customer Personal Data
8.1 Subject to section 8.38.3, Customer may in its discretion by written notice to Cymulate within 30 calendar days of the Cessation Date, require Cymulate to (a) return a complete copy of all Customer’s Personal Data to the Customer; and (b) delete all other copies of Customer’s Personal Data Processed by any Contracted Processor. Cymulate shall comply with any such written request within 60 calendar days of the Cessation Date.
8.2 Cymulate shall notify the relevant Contracted Processors, processing Personal Data on its behalf, of the termination of the Data Processing Addendum.
8.3 Each Contracted Processor may retain Customer’s Personal Data to the extent and for such period as required by Applicable Laws.
9. Audit Rights
9.1 Subject to section 9.29.2 and 9.39.3, Cymulate shall make available to Customer upon a reasonable request, information which is reasonably necessary to demonstrate compliance with Article 28(3) of the GDPR.
9.2 Where applicable, if Customer is not otherwise satisfied by its audit rights pursuant to the Agreement, Cymulate shall, at the Customer’s costs, allow for audits in relation to the Processing of the Customer’s Personal Data by the Contracted Processors, provided that:
9.2.1 Customer shall give Cymulate a reasonable notice of any audit to be conducted; and
9.2.2 Customer shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) to minimize disruption to the Contracted Processors’ business, in the course of such audit, while such audits shall be conducted during normal working hours.
9.3 Cymulate may object to an auditor mandated by Customer if the auditor is, in Cymulate’s opinion, not suitably qualified or independent, a competitor of Cymulate, or otherwise manifestly unsuitable. In the event of such an objection, Customer shall appoint another auditor or conduct the audit itself.
10. General Terms
Information may be transferred to third party companies and individuals to facilitate Cymulate’s services, who are located in a country outside of the EEA. Cymulate as well as each Contracted Processor, shall implement appropriate technical and organizational measures to ensure a level of security, appropriate to the risk, while taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the likelihood of a risk to the rights and freedoms of natural persons. Furthermore, Cymulate and each Contracted Processor shall maintain as appropriate, the specific controls described in Article 32(1), (a) to (d) of the GDPR and including any other controls mandated by applicable Data Protection Legislation or set out in the Agreement.
Order of Precedence
With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.
Changes in Data Protection Legislation
If any variation is required to this Addendum as a result of a change in Data Protection Legislation, then either party may provide written notice to the other party of that change of law. The parties shall discuss the change in Data Protection Legislation and negotiate in good faith with a view to agreeing on any necessary variations to this Addendum to address such changes, including any resulting charges.
Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
APPENDIX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject Matter and Duration of the Processing of Customer’s Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this Addendum.
The nature and purpose of the Processing of Customer’s Personal Data
Cymulate may process Personal Data for conducting cyber security testing simulations in order to validate Customer’s current security posture. Personal Data shall be processed upon Customer’s choice of registration to create an Account as set forth in the Agreement.
The Categories of Data Subject to whom the Customer’s Personal Data Relates
The categories of Data Subjects will be determined by Customer, including Customer’s customers, employees, suppliers and end-users.
The Obligations and Rights of Customer
The obligations and rights of Customer are set out in the Agreement and this Addendum.
APPENDIX 2 – LIST OF SUB-PROCESSORS
7. SC Magazine
8. IDG Security