Believe it…despite the best technical defences, if the human is not secure then the system isn’t either Real-world example: 2016 Democratic National Committee (DNC) hack. Phishing Tactics
republic terms and conditions
By purchasing a license to use our Products (whether directly from us or via your chosen channel partner), you agree that this Agreement
(“Agreement”) shall govern the provision and use of each Service you subscribe to from the Recyber Platform. This Agreement is made between you and
Recyber Opco Limited, a private limited company registered in England and Wales with its registered number 15294137 and whose business address is
85 Great Portland Street, First Floor, London, W1W 7LT (“Recyber”, “we”, “our”or “us”). Your continued use of our Products is deemed acceptance of
this Agreement.
1. Definitions
“Confidential Information” has the meaning given to it in clause 10.1.
“Customer Data” means any data or information submitted by you to us.
“Disclosing Party” has the meaning given to it in clause 10.1.
“Effective Date” has the meaning given to it in clause 3.1.
“Receiving Party” has the meaning given to it in clause 10.1.
“Recyber Platform” means the software as a service platform through which we provide our Products.
“Service(s)” means the specific service(s) that you have subscribed to from our Recyber Platform. Such Products can include continuous
scanning, penetration testing and research by us to identify areas of weakness in your systems; actionable feedback on the cultural and
behavioural aspects of cybersecurity within your organisation to assist your employees to be more knowledgeable about cybersecurity
through a series of games and prompts and/or further Products we may add to the Recyber Platform from time to time.
“User Error” means an error made by your Users when using the Products.
“Users” means individuals who are authorised by you to use the Products by means of a purchase of a subscription license for each of them
and who have been supplied user identifications and passwords to the Products by you (or by us at your request). Users include but are not
limited to your employees, consultants, contractors and agents or your affiliates and/or associated partnerships.
2. Products
2.1. Provision of Products. Subject to your payment of the applicable fees for the use of the Products (whether direct to us or your chosen
channel partner), we shall make the Products available to the number of Users from whom you have purchased a license pursuant to this
Agreement. You agree that your purchase of subscriptions is neither contingent upon the delivery of any future functionality or features nor
dependent upon any oral or written public comments made by us with respect to such future functionality or features.
2.2. Additional Users/Products. User subscriptions are for designated Users and cannot be shared or used by more than one User but may be
reassigned to new Users replacing former Users who no longer require ongoing use of the Service. The term for additional User subscriptions
or any new Products you purchase shall fall in line with your monthly/annual subscription license, allowing all Users (or new Products as
applicable) to expire at the end of the same subscription term. If you are buying directly from us, pricing for additional User subscriptions
shall be the same as that for the pre-existing subscriptions prorated for the remainder of the subscription term in effect at the time the
additional Users are added.
3. Start Date and Renewal of Products
3.1. For each Service you subscribe to, it shall commence within no more than 14 days from the date of your purchase – on the date notified to
you by us or your channel partner (“Effective Date”) and the Service shall continue for the initial duration you have purchased. If you are
buying a monthly subscription, your subscription shall automatically renew at the end of each month unless you give notice in writing to us
at least 48 hours prior to the end of the month that you do not wish to renew. If you are buying an annual subscription, your subscription
will automatically renew at the end of the 12 months unless you give notice in writing to us at 30 days prior to the end of the year that you
do not wish to renew.
4. Service Level Assurance
4.1. Network Server Availability. We will use reasonable efforts to ensure a Service availability level at 99.5% (measured over a calendar year),
except for those periods during scheduled network and/or application maintenance and except for emergencies. If scheduled maintenance
needs to occur during normal UK business hours (excluding emergencies), Recyber agrees to notify the Customer 5 business days in advance.
5. Use of the Products
5.1. Our Responsibilities. We shall take all reasonable steps to:
5.1.1. Ensure the Products are provided to you with reasonable skill and care in a professional manner;
5.1.2. In addition to our confidentiality obligations hereunder, we shall not use, modify or disclose your Customer Data to anyone other than
our employees and contractors who need to know the same to provide the Products;
5.1.3. Take appropriate technical, organisational and security measures against unauthorised access to or unauthorised alteration,
disclosure, destruction or loss of Customer Data;
5.1.4. Take reasonable steps to ensure that our employees engaged in providing the Products are aware and are suitably trained in such
technical, organisational and security measures; and
5.1.5. Maintain the security and integrity of the Products and your Customer Data;
5.1.6. maintain the underlying software in fully working order and in a timely manner fix, patch or provide workarounds for any software
errors, faults or bugs that are known to be affecting the running of the Recyber Platform or the software; and5.1.7. use commercially reasonable efforts to maintain the correct functionality and delivery of the system and to make the Products
available in accordance with clause 4 above, except for a) planned maintenance; or b) any unavailability caused by circumstances
beyond our reasonable control.
5.2. Your Responsibilities. You are responsible for all activities that occur in your Users’ accounts and for your Users’ compliance with this
Agreement. You shall: i) have sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer
Data and shall ensure all instructions given by you to us in respect of the Customer Data will be in compliance with applicable data protection
legislation; ii) use commercially reasonable efforts to prevent unauthorized access to, or use of your access to the Products, and notify us
promptly of any unauthorized access or use of which you become aware; iii) comply with all applicable laws in using the Products, including
without limitation all applicable data protection laws and regulations; and (iv) not use the Products in any manner or for a purpose not
permitted by applicable export laws, regulations or sanctions; nor export or re-export the Products to any country, region, organisation or
individual that is named as a restricted area or person on any applicable export laws, regulations or sanctions.
5.3. User Requirements. You agree to use the Service solely for your internal business purposes as contemplated by this Agreement and not to:
(i) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, or otherwise commercially exploit or make the Products available
to any third party, other than to Users or as otherwise contemplated by this Agreement; (ii) send spam or otherwise duplicative or unsolicited
messages through the Recyber Platform in violation of applicable laws; (iii) send or store infringing, obscene, threatening, libellous, or
otherwise unlawful material on the Recyber Platform; (iv) send or store any virus or other malicious code to or through the Recyber Platform;
(v) interfere with or disrupt the integrity or performance of the Products or the data contained therein; or (vi) attempt to gain unauthorized
access to the Products or its related systems or networks.
5.4. Your Agreement to Hacking. If you have subscribed to our continuous scanning, penetration testing and research Service to identify areas
of weakness in your systems, you give your express permission to us to perform random, continuous penetration testing on your systems
including attempts to exploit your computer systems or a private network inside your computer system.
6. Support. As far as reasonably possible, we will resolve support issues remotely by email and webchat facilities in a professional and efficient manner
and as quickly as we can. You agree to supply evidence and supporting materials such as screen shots, as necessary to assist us to reproduce any
faults detected. Where a fault is due to User Error or incorrect use of the system, the cost to rectify shall be agreed by the parties (acting reasonably
and in good faith).
7. Data Protection. Each Party shall comply with the data protection provisions at schedule 1 to this Agreement.
8. Fees & Payment (where you are buying direct from us)
8.1. User Fees. If you are buying direct from us, you agree to pay all applicable subscription fees in advance in the applicable currency quoted to
you upfront by credit card for all monthly subscriptions and within 30 days of the date of our invoice for annual subscriptions which are not
paid upfront by credit card. You are responsible for paying any additional taxes on the fees (including without limitation any VAT, sales, use
or withholding taxes now or hereafter enacted), and any duties, levies, excises or tariffs (together “duties”), that are applicable to the
Products (but excluding on our income). All payments hereunder shall be made without deduction for taxes or duties of any kind or nature.
Except as otherwise specified, fees are based on Products purchased and not actual usage, payment obligations are non-cancellable, fees
paid are non-refundable, and the number of subscriptions purchased cannot be decreased during the relevant subscription term. You agree
to accept invoices by email only.
8.2. Cancellations/Refunds. If your subscription is cancelled by either you or us, we will not provide a refund or credit for any unused subscription
period as we will incur costs as a result of the cancellation.
8.3. Overdue Payments. Any payment not received from you by the due date may, at our discretion, accrue interest at a rate of 8% above the
Bank of England base rate per annum.
8.4. Credit Card Authorisation. For credit card payments, we use third-party intermediaries to manage credit and debit card processing. These
intermediaries are not permitted to store, retain or use your billing information except as required to process your credit or debit card
payment for us. You give us authority to share your information (including without limitation credit and debit card details and other personal
data as required) with the third- party intermediaries for such purposes.
8.5. Suspension of Service. If your account is 30 days or more overdue (except with respect to fees then under reasonable and good faith dispute),
in addition to any of our other rights or remedies, we reserves the right to suspend the Products provided to you, without liability, until such
amounts are paid in full. We will provide a 3 days’ notice to you prior to suspending Products under this clause.
9. Proprietary Rights
9.1. Reservation of Rights. Subject to the rights expressly granted hereunder, we reserve all rights, title and interest in and to the Recyber
Platform and the Products, including all related intellectual property rights. No rights are granted to you hereunder other than as expressly
set forth herein.
9.2. Restrictions. Save to the extent expressly permitted by applicable law, you shall not (i) modify, copy or create derivative works based on the
Products; (ii) frame or mirror any content forming part of the Products, other than on your own intranets or otherwise for your own internal
business purposes; (iii) reverse engineer the Service; or (iv) access the Products in order to (i) build a competitive product or service, or
(ii) copy any ideas, features, functions or graphics of the Products.9.3. Customer Data. As between us, you exclusively own all rights, title and interest in and to all Customer Data. Customer Data is deemed the
Confidential Information of Customer under this Agreement. We shall not access your User accounts, including Customer Data, except to
respond to service or technical problems; or at your request or as otherwise permitted under applicable data protection laws to allow us to
access and process Customer Data (aggregated and anonymised) for our legitimate interest in developing and improving the Products and
providing customers with more relevant content and service offerings.
9.4. Suggestions. We shall have a royalty-free, worldwide, transferable, sub-licensable, irrevocable, perpetual license to use or incorporate into
the Products any suggestions, enhancement requests, recommendations or other feedback provided by you or your Users relating to the
operation of the Products.
10. Confidentiality
10.1. Definition of Confidential Information. As used herein, “Confidential Information” means all non-public confidential information of a party
(“Disclosing Party”) disclosed to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that
reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including the
terms and conditions of this Agreement (including pricing). Confidential Information shall not, however, include any information which (i) is
in or subsequently becomes part of the public domain through no breach of this Agreement by the Receiving Party; (ii) is already in the
possession of the Receiving Party; (iii) is obtained by the Receiving Party from a third party without a breach of such third party’s obligations
of confidentiality; (iv) is independently developed by the Receiving Party, as shown by documents and other competent evidence in the
Receiving Party’s possession; or (v) is required by law to be disclosed by the Receiving Party.
10.2. Confidentiality. The Receiving Party shall not disclose or use any Confidential Information of the Disclosing Party for any purpose outside the
scope of this Agreement, except with the Disclosing Party’s prior written permission.
10.3. Protection. Each party agrees to protect the confidentiality of the Confidential Information of the other party in the same manner and extent
that it protects the confidentiality of its own confidential information of like kind (but in no event using less than reasonable care).
10.4. Compelled Disclosure. If the Receiving Party is compelled by law to disclose Confidential Information of the Disclosing Party, if legally
permissible, it shall provide the Disclosing Party with prior notice of such compelled disclosure (to the extent legally permitted) and
reasonable assistance, at Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. Such disclosure shall not in itself
negate the obligation to otherwise maintain the confidentiality of the Confidential Information under this clause 10.
10.5. Remedies. If the Receiving Party discloses or uses (or threatens to disclose or use) any Confidential Information of the Disclosing Party in
breach of confidentiality protections hereunder, the Disclosing Party shall have the right, in addition to any other remedies available to it, to
seek injunctive relief to enjoin such acts without posting a bond or other securely, it being specifically acknowledged by the parties that any
other available remedies are inadequate.
11. Warranties & Disclaimers
11.1. Warranties. Each party represents and warrants that it has the legal power to enter into this Agreement. We warrant that i) we will provide
the Products in a manner consistent with general industry standards reasonably applicable to the provision thereof; ii) the functionality of
the Products will not be materially decreased during a subscription term; iii) we will not knowingly allow the Products to contain or transmit
to Customer any virus or other malicious code; iv) we own or licence all rights in the Products and software required to grant to you the
rights to use the Products and software granted herein; and v) the Service do not, and your use of the Products as provided hereunder will
not, infringe any intellectual property rights of any third party. You warrant that the collection and processing of any Customer Data by us
and/or as contemplated by this Agreement complies in all respects with applicable data protection laws and regulations.
11.2. Warranty Exclusions. Notwithstanding the foregoing, we: (a) do not warrant that use of the Products will be uninterrupted or error-free;
and (b) are not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over
communications networks and facilities, including without limitation the internet, and you acknowledge that the Products may be subject to
limitations, delays and other problems inherent in the use of such communications networks and facilities. We provide no assurance or
guarantee that the Products will provide a solution to your specific needs. The Products are not bespoke or tailored to you or your
requirements and we do not warrant that the Products will meet your requirements. We do not warrant that the continuous scanning,
penetration testing and research Service will identify any or all weaknesses in your systems nor do we warrant that the results of our Products
will enable you to strengthen your systems sufficiently to protect against all unwanted intrusions, attacks or hacks.
11.3. Disclaimer. EXCEPT AS EXPRESSLY PROVIDED HEREIN, WE PROVIDE NO WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED,
STATUTORY OR OTHERWISE, AND SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY,
SUITABILITY, SATISFACTORY QUALITY OR FITNESS FOR A PARTICULAR PURPOSE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.
ALL PRODUCTS ARE PROVIDED “AS IS”.
12. Indemnification
12.1. Indemnification by us. Subject to your compliance with the terms of this Agreement and payment of all fees due, we shall defend and
indemnify you against any loss, damage or costs (including reasonable attorneys’ fees) incurred in connection with claims, demands, suits,
or proceedings, to the extent that we have been negligent, (“Claims”) made or brought against you by a third party alleging i) a breach by us
of our obligations under applicable data protection laws and regulations; or ii) that the use of the Products as contemplated hereunder
infringe the intellectual property rights of a third party; provided, that you a) promptly give written notice of the Claim to us; b) give us sole
control of the defence and settlement of the Claim (provided that we may not settle or defend any Claim unless it unconditionally releases
you of all liability); and c) provides to us, at our cost, all reasonable assistance.12.2. Indemnification by you. Subject to this Agreement, you shall defend, indemnify and hold us harmless against any loss, damage or costs
(including reasonable attorneys’ fees) incurred in connection with Claims made or brought against us by a third party alleging i) a breach by
you of your obligations under applicable data protection laws and regulations; or ii) that the Customer Data, or your use of the Products in
violation of this Agreement, infringes the intellectual property rights of, or has otherwise harmed, a third party; provided, that we a) promptly
give written notice of the Claim to you; b) give you sole control of the defence and settlement of the Claim (provided that you may not settle
or defend any Claim unless it unconditionally releases us of all liability); and c) provides to you, at your cost, all reasonable assistance.
13. Limitation of Liability
13.1. The following provisions shall apply:
13.1.1. Limitation of Liability. Nothing in this Agreement shall limit or exclude either party’s liability for: (a) death or personal injury caused
by negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability which cannot be limited or excluded by applicable
law. SAVE AS AFORESAID, TO THE MAXIMUM EXTENT PERMITTED BY LAW, OUR AGGREGATE LIABILITY ARISING OUT OF OR RELATED
TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, SHALL NOT EXCEED THE AMOUNTS
ACTUALLY PAID BY YOU FOR THE PRODUCTS IN THE TWELVE MONTHS PRECEDING THE INCIDENT GIVING RISE TO LIABILITY.
13.1.2. Exclusion of Consequential and Related Damages. TO THE MAXIMUM EXTENT PERMITTED BY LAW, WESHALL HAVE NO LIABILITY
YOU FOR ANY LOST PROFITS, LOSS OF BUSINESS, LOSS, CORRUPTION OR RECOVERY OF DATA OR SYSTEMS, OR FOR ANY INDIRECT,
SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY
OTHER THEORY OF LIABILITY, AND WHETHER OR NOT FORESEEABLE OR WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
14. Term & Termination
14.1. Term of Agreement. This Agreement commences on the Effective Date and, subject to Clause 3 and the remainder of this Clause 14, shall
continue until all User subscriptions granted in accordance with this Agreement have expired or been terminated.
14.2. Termination for Cause. A party may terminate this Agreement for cause: i) upon thirty (30) days written notice of a material breach to the
other party if such breach remains uncured at the expiration of such period; or ii) if the other party becomes the subject of a petition in
bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors or any event
analogous to the foregoing occurs in relation to that other party in any jurisdiction.
14.3. Termination by us. If we are no longer legally able to grant licenses to use our Products, we reserve the right to terminate the Agreement
and your subscription.
14.4. Outstanding Fees. Termination shall not relieve you of the obligation to pay any fees accrued or payable to us prior to the effective date of
termination.
14.5. Return of Customer Data. Upon request made within in writing to us within 30 days after the effective date of termination, we will make
return or destroy any Customer Data in our possession.
15. General Provisions
15.1. Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture,
agency, fiduciary or employment relationship between the parties.
15.2. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
15.3. Publicity. You agree that we may include your name and logo in our published lists of customers or vendors. Any other use of your name
or logo for marketing purposes shall be made only with your prior approval.
15.4. Notices. All notices under this Agreement shall be in writing and shall be deemed to have been given upon: (i) personal delivery; (ii) the
second business day after mailing; or (iii) at the time of transmission, or, if this time falls outside business hours in the place of receipt, when
business hours resume after sending by email.
15.5. Waiver and Cumulative Remedies. No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver
of that right. Other than expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies
of a party at law or in equity.
15.6. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision to be modified
by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the
remaining provisions of this Agreement shall remain in effect.
15.7. Assignment. You shall not, without our prior written consent assign, transfer, mortgage, charge, subcontract, delegate, declare a trust over
or deal in any other manner with any of its rights and obligations under this Agreement. We may at any time assign, mortgage, charge,
subcontract, delegate, declare a trust over or deal in any other manner with any or all of its rights and obligations under this Agreement.
15.8. Governing Law. This Agreement (including any non-contractual obligations or liabilities arising out of it or in connection with it) shall be
governed exclusively by, and construed exclusively in accordance with, the laws of England and Wales to the exclusion of its conflict of law
provisions.
15.9. Venue. The courts of England and Wales shall have exclusive jurisdiction to adjudicate and dispute arising out of or relating to this Agreement
(including non-contractual disputes or claims). Each party hereby consents to the jurisdiction of such courts.
15.10. Entire Agreement. This Agreement constitutes the entire agreement between the parties, and supersedes all prior and contemporaneous
agreements, proposals or representations, written or oral, concerning its subject matter. These terms may be modified or updated from time
to time by us and any modified terms published on our website will apply to you from the renewal date of your subscription (at the end ofthe month for monthly subscriptions and at the end of 12 months for annual subscriptions). Notwithstanding any language to the contrary
therein, no terms or conditions stated in your purchase order or in any other order documentation from you shall be incorporated into or
form any part of this Agreement, and all such items or conditions shall be null and void.Schedule 1: Data Protection
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these Standard Contractual Clauses (“the Clauses”) is to ensure compliance with Article 28(3) and (4) of
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation) as well as compliance with the UK Data Protection Act 2018; and the GDPR as it forms part
of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act
2018 (together referred to as “the Data Protection Legislation”).
(b) You are the Data Controller and we are the Data Processor for the purposes of this Schedule and the Data Protection
Legislation. The parties have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation
(EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.
(c) These Clauses apply to the processing of personal data as specified in Annex I.
(d) Annexes I to III are an integral part of the Clauses.
(e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679
and/or Regulation (EU) 2018/1725.
(f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with
Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
Clause 2
Invariability of the Clauses
(a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in
them.
Clause 3
Interpretation
(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those
terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU)
2018/1725 respectively.
(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU)
2016/679 / Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.
Clause 4
Hierarchy
In the event of a contradiction between these Clauses and the provisions of the Terms between the Parties existing at the time when these
Clauses are agreed or entered into thereafter, these Clauses shall prevail.
SECTION II
OBLIGATIONS OF THE PARTIES
Clause 5
Description of processing(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal
data is processed on your behalf, are specified in Annex I.
Clause 6
Obligations of the Parties
6.1. Instructions
(a) We shall process personal data only on your documented instructions, unless required to do so by Union or Member State law
to which we are subject. In this case, we shall inform you of that legal requirement before processing, unless the law prohibits
this on important grounds of public interest. Subsequent instructions may also be given by you throughout the duration of the
processing of personal data. These instructions shall always be documented. For this purpose, you specifically agree to our
processing of your personal data as stated in this Schedule.
(b) We shall immediately inform you if, in our opinion, instructions given by you infringe Regulation (EU) 2016/679 / Regulation
(EU) 2018/1725 or the applicable Netherlands or Member State data protection provisions.
6.2. Purpose limitation
We shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex I, unless we receive further
instructions from you.
6.3. Duration of the processing of personal data
Processing by us shall only take place for the duration specified in Annex I.
6.4. Security of processing
(a) We shall at least implement the technical and organisational measures specified in Annex II to ensure the security of the
personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss,
alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security,
the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes
of processing and the risks involved for the data subjects.(b) We shall grant access to the personal data undergoing processing to members of our personnel (including contractors and
representatives) only to the extent strictly necessary for implementing, managing and monitoring of the contract. We shall
ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are
under an appropriate statutory obligation of confidentiality.
6.5. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s
sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific
restrictions and/or additional safeguards.
6.6. Documentation and compliance
(a) The Parties shall be able to demonstrate compliance with these Clauses.
(b) We shall deal promptly and adequately with inquiries from you about the processing of data in accordance with these Clauses.
(c) We shall make available to the you all information necessary to demonstrate compliance with the obligations that are set out
in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At your request, we shall
also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there
are indications of non-compliance. In deciding on a review or an audit, you should take into account relevant certifications held
by us.
(d) You may choose to conduct the audit by yourself or mandate an independent auditor, all at your own cost. Audits may also
include inspections at our premises or physical facilities and shall, where appropriate, be carried out with reasonable notice
and subject always to the duty of confidentiality.
(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent
supervisory authority/ies on request.
6.7. Use of sub-processors
(a) You authorise us to engage sub-processors listed in Annex I. We shall inform you in writing of any intended changes of that list
through the addition or replacement of sub-processors at least 30 days in advance, thereby giving you sufficient time to be
able to object to such changes prior to the engagement of the concerned sub-processor(s). We shall provide you with the
information necessary to enable us to exercise the right to object. In emergencies (such as failure of a third party data centre)
we may appoint a new sub-processor immediately to protect your personal data and ensure continuity of the Service in which
case we will notify you as soon as practically possible. If you do not agree to any additional or replacement sub-processor, you
may terminate the agreement by giving us 30 days’ notice in writing within 30 days after notification to you.
(b) Where we engage a sub-processor for carrying out specific processing activities (on your behalf), we shall do so by way of a
contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on us in
accordance with these Clauses. We shall ensure that the sub-processor complies with the obligations to which the processor is
subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
(c) At your request, we shall provide to you a copy of such a sub-processor agreement and any subsequent amendments. To the
extent necessary to protect business secret or other confidential information, including personal data, we may redact the text
of the agreement prior to sharing the copy.
(d) We shall remain fully responsible to you for the performance of the sub-processor’s obligations in accordance with its contract
with us. We shall notify you of any failure by the sub-processor to fulfil its contractual obligations.
(e) We shall agree a third party beneficiary clause with the sub-processor whereby – in the event we have factually disappeared,
ceased to exist in law or has become insolvent – you shall have the right to terminate the sub-processor contract and to
instruct the sub-processor to erase or return any personal data it has stored or retained.
6.8. International transfers
(a) Any transfer by us of personal data to a third country or an international organisation that is not recognised under GDPR as
having adequate safeguards in place with respect to your personal data shall be done only on the basis of documented
instructions from you or in order to fulfil a specific requirement under UK, Union or Member State law to which we are subject
and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725. For this
purpose, the parties agree to the Standard Contractual Clauses to comply with Regulation (EU) 2016/679 as set out under the
Data Protection Legislation to the extent that any of your personal data is transferred to a country outside the UK and EEA that
is not deemed by the UK or European Union to have adequate safeguards in place.
Clause 7
Assistance to the controller
(a) We shall promptly notify you of any request we have received from a data subject. We shall not respond to the request itself,
unless authorised to do so by you.
(b) We shall assist you in fulfilling your obligations to respond to data subjects’ requests to exercise their rights, taking into
account the nature of the processing. In fulfilling our obligations in accordance with (a) and (b), we shall comply with your
instructions
(c) In addition to our obligation to assist you pursuant to Clause 7(b), we shall furthermore assist you in ensuring compliance with
the following obligations, taking into account the nature of the data processing and the information available to us:
(1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection
of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high
risk to the rights and freedoms of natural persons;
(2) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection
impact assessment indicates that the processing would result in a high risk in the absence of measures taken by
the controller to mitigate the risk;
(3) the obligation to ensure that personal data is accurate and up to date, by informing you without delay if we
become aware that the personal data we are processing is inaccurate or has become outdated;
(4) the obligations in Article 32 of Regulation (EU) 2016/679.(d) The Parties shall set out in Annex II the appropriate technical and organisational measures by which the processor is required
to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.
Clause 8
Notification of personal data breach
In the event of a personal data breach, we shall cooperate with and assist you to comply with your obligations under Articles 33 and 34 of
Regulation (EU) 2016/679 or under Articles 34 and 35 of Regulation (EU) 2018/1725, where applicable, taking into account the nature of
processing and the information available to us.
8.1 Data breach concerning data processed by the controller
In the event of a personal data breach concerning data processed by you, we shall assist you:
(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after you have become
aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural
persons);
(b) in obtaining the following information which, pursuant to Article 33(3) of Regulation (EU) 2016/679 shall be stated in your
notification, and must at least include:
(1) the nature of the personal data including where possible, the categories and approximate number of data
subjects concerned and the categories and approximate number of personal data records concerned;
(2) the likely consequences of the personal data breach;
(3) the measures taken or proposed to be taken by you to address the personal data breach, including, where
appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information
then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(c) in complying, pursuant to Article 34 of Regulation (EU) 2016/679 with the obligation to communicate without undue delay the
personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and
freedoms of natural persons.
8.2 Data breach concerning data processed by the processor
In the event of a personal data breach concerning data processed by us, we shall notify you without undue delay after we become aware of
the breach. Such notification shall contain, at least:
(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects
and data records concerned);
(b) the details of a contact point where more information concerning the personal data breach can be obtained;
(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its
possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information
then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Annex I all other elements to be provided by the processor when assisting the controller in the compliance with
the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
SECTION III
FINAL PROVISIONS
Clause 9
Non-compliance with the Clauses and termination
(a) Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that we are
in breach of our obligations under these Clauses, you may instruct us to suspend the processing of personal data until we
comply with these Clauses or the contract is terminated. We shall promptly inform you in case we are unable to comply with
these Clauses, for whatever reason.
(b) You shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these
Clauses if:
(1) the processing of personal data by us has been suspended by you pursuant to point (a) and if compliance with
these Clauses is not restored within a reasonable time and in any event within one month following suspension;
(2) We are in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679
and/or Regulation (EU) 2018/1725;
(3) we fail to comply with a binding decision of a competent court or the competent supervisory authority/ies
regarding its obligations pursuant to these Clauses or Regulation (EU) 2016/679 and/or Regulation (EU)
2018/1725.
(c) We shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where,
after having informed you that your instructions infringe applicable legal requirements in accordance with Clause 6.1 (b), you
insist on compliance with the instructions.
(d) Following termination of the contract, we shall, at your choice, delete all personal data processed on your behalf and certify
that we have done so, or, return all the personal data to you and delete existing copies unless Union or Member State law
requires storage of the personal data. Until the data is deleted or returned, we shall continue to ensure compliance with these
Clauses.Annex I
Purposes for which the Personal Data shall be processed
• Please specify the purposes for which the Data Processor
intends to process the Personal Data.
We provide a web-based service for testing your systems for IT
weaknesses and training your staff on cybersecurity issues. We
process your personal data in order to provide these Products to you
as described in the SaaS Agreement. We may also access and process
personal data (aggregated and anonymised) for its legitimate interest
in developing and improving our Products and providing customers
with more relevant content and service offerings
Description of the categories of the data subjects
• Please specify the categories of data subject whose Personal
Data shall be processed under this Agreement.
Personal information is processed about your Users where necessary
for the provision of the Products to you.
Description of the categories of Personal Data
• Please specify the categories of Personal Data that shall be
processed under this Agreement.
Personal data includes your employee data including but not limited
to employee names, job titles, email address and phone number,
Description of transfers of Personal Data to a country outside of
the UK/ EEA
• Please record transfers of Personal Data outside of the UK/EEA,
recording the country and/or international organisation and,
where applicable, please document suitable safeguards.
No Personal Data is transferred outside of the UK/EEA.
The envisaged time limits for erasure of the different categories of
Personal Data
• Please specify how long you think the Personal Data will be
retained for, where possible.
30 days after termination or expiry of the SaaS Agreement, all
Personal Data processed on your behalf shall be permanently
deleted.
Authorised Sub-Processors
• List the sub-processors who will process Personal Data.
An up to date list of sub-processors can be found at
data-privacy
