1.      Definitions.

In addition to capitalized terms defined elsewhere in these ToS, the following terms will have the meanings set forth below:

1.1.           Affiliate.  An entity that controls, is controlled by, or is under common control with the subject entity.  Control for this purpose means direct or indirect ownership or control of more than 50% of the voting Interests of the entity     .

1.2.           Customer Data.  Electronic data and information that is submitted to our Service by or for you or your Affiliates.

1.3.           Documentation.  All specifications, user manuals, and other materials relating to the Service that we provide or make available to you or your Affiliates, as modified from time to time.

1.4.           Framework.  A supporting set of controls created by an accredited organization that form the basis of a security program.

1.5.           GRC.  Governance, risk and compliance.

1.6.           GRC Platform.  The software for which evidence, proof and tasks of compliance are aggregated and reported.

1.7.           Governance as a Service (GaaS).  The administration of a GRC Platform and the ongoing maintenance of compliance to specific programs or Frameworks.

1.8.           Implementation Service.  Professional Service purchased from us and required for the set-up of your GaaS compliance administration and monitoring.

1.9.           Order.  Each written or online order  specifies the Service to be provided by us and the Fees applicable to those Services.  By entering an Order, you and your Affiliates are agreeing to be bound by these ToS.  An Order may be included in a Proposal.

1.10.        Proposal.  A      document setting forth the details of the Service that we are proposing to provide to you or your Affiliates.

1.11.        Reports.  Analyses and recommendations we may provide from time to time that are      designed to improve your compliance with the standards specified in the Service.

1.12.        Service.  The products and Service that we provide to You, whether Professional Service, those that are ordered by you under an Order or those that you receive under a free trial, including any associated offline components.

1.13.        User.  In the case of a person accepting the ToS on their own behalf, that person.  In the case of a person accepting the ToS on behalf of a legal entity, an individual (1) that the legal entity has authorized to use the Service, (2) for whom it has purchased a subscription, and (3) who has been has supplied a Username and password, either by the entity or by us at the entity’s request.  Users may include, for example, your employees, consultants, contractors, and agents.

1.14.        You or Your.  In the case of a person accepting the ToS on their own behalf, the person.  In the case of a person accepting the ToS on behalf of a legal entity, that legal entity and any Affiliates of that entity that itself has      entered an Order.

2.      Responsibility.

2.1.           The ToS governs your access to and use of our Service and all content, services, tools, technologies, and products that may be available through our portals, website, or off-line.  This includes electronic signature Service, online uploads, displays, deliveries, acknowledgments, and storage Service for documents and electronic contracts (collectively, “E-Service”).  We will also perform the professional Service described in any duly executed Proposal (“Professional Service”). 

2.2.           You are engaging us to provide Service as described in the relevant Proposals (each, a “Proposal”).  Neither of us will have any obligations with respect to a draft Proposal unless and until it has been fully executed.  (Electronic Signature and first month’s payment.)  If a Proposal conflicts with the ToS, the Proposal will govern, but solely for the Service it describes.  The only exception is if the Proposal explicitly states that it is intended to modify the conflicting ToS terms.  In many cases, Service to an Affiliate may be required.  These will be added to any Proposal via a change order.

2.3.           Subject to your (1) purchasing the right to access and use the Service from us, and (2) your use of the Service in compliance with the ToS and the applicable Proposal, we grant you a limited, non-sublicensable, non-exclusive, non-transferable license to access and use the Service by up to the number of Users described in the Proposal.  This grant is (1) for your internal use only, (2) for the use(s) described in the Proposal, and (3) is subject to the ToS and any Documentation that we provide to you relating to the Service.  Holistically, we refer to this as a ‘Subscription,” and your Subscription is not for resale or further distribution unless we otherwise agree in writing.  Except as otherwise provided in a Proposal, or as may be expressly permitted by applicable law, you will not, nor will you permit or authorize anyone else to: (1) modify, make derivative works of, disassemble, reverse compile or reverse engineer any part of the Service; (2) copy, reproduce, distribute, republish, download, distribute, disclose, encumber, time-share, license, sell, display, or transmit any part of the Service in any form or by any means; (3) frame or use framing techniques to enclose any trademark, logo, or other portion of the Service; (4) use or access the Service to build a similar or competitive, product, or service; (5) intentionally hold us, or our employees and directors, up to public scorn, ridicule or defamation; (6) take any action that materially interrupts or interferes with, or that might reasonably have been expected to materially interrupt or interfere with, the Service, our business operations or our other customers; (7) run any form of auto-responder or “spam” on the Service or use the Service to otherwise send “spam” to any third-party; (8) use the Service in any unlawful way, for any unlawful purpose or to violate any law, code of conduct or other guideline that may be applicable to the Service; (9) circumvent or disable any security features or measures in the Service; or (10) publicly post any material that we provide and that is both copyrighted and specifically related to Cybersecurity Policies.  Any rights not expressly granted in the ToS are reserved by us.    

2.4.           You will not access, store, distribute, or transmit any Viruses or other material that adversely affects our systems.  This includes anything that (1) is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing, or racially or ethnically offensive; (2) facilitates illegal activity; (3) causes damage or injury to any person or property; or (4) is in violation of the ToS.  The term “Virus” refers to any thing or device (including any software, worms, or the like) that may prevent, impair, or otherwise adversely affect (1) the operation of computer software, hardware or networks, any telecommunications service, equipment, or networks, or any other service or device, (2) access to or the operation of any program or data, including its reliability, or (3) the user experience.

2.5.           You will ensure that your network and systems comply with the specifications we provide from time to time.  You will give us any information we may need to provide the Service.  You will obtain, maintain, and support all Internet access, computer hardware, and other equipment and Service      required for you to access and use the Service.  You will set access controls for your authorized Users.  You will use commercially reasonable efforts to prevent unauthorized access to or use of the Service.  You will give us prompt notice (but no later than 48 hours) of any unauthorized use of your account or any other known breach of security.  You authorize us to send you marketing materials or other documentation periodically.

2.6.           We reserve the right, without liability to you, to disable or suspend your access to the Service if (1) there is any breach or anticipated breach by you of the ToS; (2) you or your Users’ use of the Service disrupts or poses a security risk to the Service or any other customer, may harm our systems (or any provider of any third-party Service) or may subject us or any third-party to liability; (3) you or your authorized Users are using the Service for fraudulent or illegal activities; or (4) our continuing to provide any Service to you is prohibited by applicable law; or (5) past due invoices 5 days beyond the due date.

3.      Our Service Stack.

We will provide you and your Users with a Subscription to our GaaS as set forth      in the Proposal.  The number and timing of meetings, and the quantity of deliverables, will be outlined in the Proposal.  All key elements of proof will be stewarded on the GRC Platform.  These may include any mix of:

3.1.           Illustrations of cyber governance compliance and cyber maturity through a series of oversight, risk register, compliance desk, capabilities, and proofs-of-documentation.

3.2.           Email and telephone governance support Service, on an 8x5x5 basis, through our GRC Help Desk      for your security program, cyber risk, and reasonable cyber compliance questions.  The GRC Desk will identify via email or ticketing system, policy and risk register recommendations or actions to you and track all work in your GRC Platform.

3.3.           GRC Desk verification of security controls recommendations, gaps, and attestation.  These reports will be stored and tracked on the GRC Platform as evidence of compliance.\

3.4.           On request, GRC Desk modifications and updates to information security policies, compliance recommendations, and program attestations using the GRC Platform through an information security policy addendum or base document rebuild, as we deem reasonable.  As frameworks and regulatory requirements change, we will reasonably track and modify framework versions, update written information security policies, and provide updates on regulations in scheduled GRC review meetings.

3.5.           Provision by the GRC Desk of supplemental documented guideline templates with a package of user and business policies.  This may include Business Continuity Plans Cyber Section, Cyber Incident Response Plans, Ransomware Playbook, Tabletop Exercise Plans, customization of procedures and policies to prepare executive governance and GRC meetings for security program upkeep.

3.6.           Third-Party attestation support and compliance defense for contracted Frameworks.  This will be for the specified number of “end-client of Customer” requests as specified in the Proposal and will be handled and tracked by the GRC Desk ticketing system via [email protected].  Key elements of this proof will be managed in the GRC Platform. 

3.7.           Meetings, tabletop exercises, and presentation      of tasks for critical-incidents, patches, awareness, threat intelligence, and change control actions during the GaaS Service period.  Our operations staff may prepare and provide information security reports and GRC actions in tracked support requests for the prior period. 

3.8.           Executive meetings for security reviews, compliance metric benchmarking and tracking, high level progress reports of Risk Register, identification of security roadblocks, review of impactful policy changes, summarization of the Technical GRC compliance review meetings, and risk objectives in risk register to be performed in the next period.  Our GRC Desk may provide a summary of high-level metrics to be used by your internal IT staff or managed service provider for incident escalations, incident types, resolutions, and additional findings from the GRC.

3.9.           Any contracted external vulnerability assessments.

3.10.        Conducting a “lite” automated external penetration test annually, either by us or one of our affiliates, using open-source tools and produce      an artifact in support of information security policy and compliance.

3.11.        On reasonable request, we may also provide virtual Executive level support to your executive staff regarding budgets, staffing, vendors, and other strategic planning initiatives that would be      consistent with the duties of a Chief Information Security Officer.

3.12.        Go-to-Market (GTM) Service as outlined in the Proposal.

4.      Users.

You and your Users are responsible for maintaining the security of your accounts.  You are also responsible for all activities, damage, misconduct, or breaches that occurs under your account.  To obtain access to the Service, you will provide each User with a unique user ID.  When registering Users, each User will provide accurate information and will promptly update all registration information to keep it accurate, current, and complete.  Only the User associated with a particular User ID will use that ID to access or use the Service.  From time to time, you may deactivate and reallocate logons      or User IDs for the Service to different individual Users, as reasonable and necessary.  You will manage your User IDs (and any associated passwords and access privileges) to or for the use of the Service, in accordance with the ToS and subject to our approval.  You will strictly maintain the confidentiality of all User IDs and passwords.  You are solely responsible for all transactions, activities, and other consequences resulting from the use or disclosure of your logons     , User IDs, and passwords.  You will promptly report to us any breach of confidentiality concerning your User IDs, passwords, or the Service, or any other problem with the Service.  You will not allow the Service to be accessed or used by anyone other than you and your authorized Users.  We may refuse use or access to a Service by anyone other than you and your authorized Users.

5.      User Content.

5.1.           All content that you or your Users upload to the E-Service is defined collectively here as “Content.”  You will be liable for the accuracy, quality, integrity, and legality of your Content and of the means by which your Users access and use that Content.  You grant us a worldwide, irrevocable, fully paid, non-exclusive right and license to reproduce, distribute, and display Content as necessary to provide the Service.  You warrant that you own all Content or that you have permission from the rightful owner to use your Content.  You also warrant that you have all rights necessary for us to use the Content in connection with the Service.  You and your licensors retain title, all ownership rights, and all Intellectual Property (as defined in Section 6), in and to Content and reserve all rights not expressly granted to us here.  However, we may process aggregated, anonymized data that cannot identify any person and that is derived from or created through the use of the Service by you or your Users.

5.2.           You will not knowingly upload Content that (1) is unlawful or promotes unlawful activities; (2) defames, harasses, abuses, threatens or incites violence towards any individual or group; (3) is pornographic, discriminatory or otherwise victimizes or intimidates an individual or group on the basis of religion, gender, sexual orientation, race, ethnicity, age or disability; (4) is spam, machine-generated or randomly-generated, constitutes unauthorized or unsolicited advertising, chain letters, or any other form of unauthorized solicitation, or any form of lottery or gambling; (5) contains or installs any viruses, worms, malware, Trojan horses, or other content that is designed or intended to disrupt, damage, or limit the functioning of any software, hardware, or telecommunications equipment, or to damage or obtain unauthorized access to any data or other information of a third party; (6) infringes on anyone’s proprietary rights; (7) impersonates any person or entity, including any of our employees or representatives; (8) contains payment card data; or (9) violates the privacy of any third party, our employees or our representatives.

5.3.           We will not screen, review, edit, censor, or otherwise filter or control Content.  However, we may (but are not obliged to) review all Content or review any areas of our site where your Users transmit or post communications.  We retain the right (but disclaim any obligation) to reject, not post, not use, remove, amend, deny access to or delete Content, without notice, that breaches the ToS.  We retain the right to co-operate with any law enforcement authorities, or in response to court and other official requests, directing that we disclose the identity of anyone posting Content.

5.4.           We use third parties to host, provide Service, and store Content.  The protection of Content will be in accordance with each third-party’s safeguards.  You will properly configure and use the Service.  You will take appropriate steps to maintain security, protection, and backup of your Content.  We are not responsible for any unauthorized access to, alteration of, or deletion, destruction, damage, loss, or failure to store Content or other information that you and your Users submit or use in connection with the Service.

6.      Ownership.

We retain all rights, titles, and interests in all Intellectual Property and proprietary rights with respect to the Service and any other materials that we provide or make available to you.  “Intellectual Property” means all intellectual property or proprietary rights in any jurisdiction.  Except for the rights expressly granted to you by the ToS, all Service and other materials that may be provided or made available, all modifications, compilations, and derivative works thereof, and all Intellectual Property and proprietary rights pertaining thereto, are and will remain our property and that of our respective licensors, as applicable.  Notwithstanding this, you may submit comments, questions, ideas or other information to us related to the Service (“Feedback”).  We may freely use, copy, disclose, license, distribute, and exploit any Feedback in any manner and without any obligation, royalty, or restriction (and to the extent, any rights of ownership in any such materials, works, or rights might, for any reason, otherwise vest in you, you assign them to us).

7.      Disclaimer of Liability.

7.1.           We disclaim all liability relating to Content, including any error, virus, defamation, libel, obscenity, or inaccuracy contained in Content     , however      it may arise.  This includes liability for unauthorized use of Content or for      use that infringes a copyright, trademark right, or other intellectual property right.       You are solely responsible for all damages that result from submissions or use of Content and any related transactions or occurrences.  We have no responsibility for unauthorized access to any of your User accounts, or for automatic forwarding of messages or viruses, however caused.

7.2.           The Service may integrate with or provide links to various other independent third-party products, or services (“Linked Sites”).  We do not control or endorse Linked Sites.  We are neither responsible for their content nor responsible for the accuracy or reliability of any information, data, opinions, advice, or statements contained within them.  You will need to make your own independent judgment regarding your interaction with Linked Sites.  We encourage you to be aware of when a user leaves the Service and to read the terms and privacy policy of each Linked Site.  We may terminate any link or linking program at any time in our sole discretion.  We disclaim all warranties, express and implied, as to the accuracy, validity, legality or otherwise of any materials, or information contained on Linked Sites.

7.3.           The Service may integrate with certain third-party websites and applications (“Third-Party Services”).  Third-Party Services will be governed solely by the terms of the Third-Party Service, as agreed to between you and a Third-Party Service provider.  We neither endorse or support nor are responsible for any Third-Party Services.  You may enable integration between the Service and Third-Party Services.  By doing so, you (1) instruct us to share Customer Data (including any Personal Data) with the Third-Party Service provider to facilitate the integration; and (2) grant us permission to allow the Third-Party Service provider to access Customer Data and information about your use of the Third-Party Service.  You are responsible for providing all instructions to a Third-Party Service provider about the use and protection of Customer Data.  We and your Third-Party Service providers will not be deemed processors or sub-processors of Personal Data with respect to each other.

8.      Fees.

8.1.           In consideration for performing the Service, you will pay us the fees in each applicable Proposal and in accordance with that Proposal, plus all fees for any applicable add-on Service (such as payments and Onboarding and Professional Services), as you may elect to use from time to time (“Fees”).  All additional licenses and add-on Services (as defined in the Proposal) added during the Proposal term will be added for the remainder of the Proposal term on an annualized pro-rata basis.  “Fees” are exclusive of any taxes, levies, and duties assessable by any jurisdiction, excluding only taxes based on our net income, assets, payroll, property, and employment (collectively, “Taxes”).  If anything that we provide to you is subject to a Tax, you will pay that Tax.  You will include payment of Taxes in your payment of Fees and expenses to us.  All payments will be in U.S. dollars.  Any unused portions of volume-based purchases (e.g. API Service) will expire at the end of the Contract End Date as defined in a Proposal.  No amounts will roll over into subsequent contract years.  Unless required by law, all amounts due and payable by you to us must be paid in full without any deduction, set-off, counterclaim, or withholding of any kind.

8.2.           You will pay us by check, wire transfer, ACH, or credit card.  If you pay us with a credit card, then (1) you authorize us to automatically charge your designated credit card account for Fees and Taxes, in advance or as otherwise agreed in writing, and (2) a non-refundable 2.75% Convenience Fee will be added to each payment.  Your authorization will remain in effect until you cancel it by providing us with notice.  If credit card account on file is closed, if the account information is changed, or if, for any reason, a charge is rejected, you will immediately update your credit card account or supply a new payment account, as appropriate.  If you are unable to update your credit card account with appropriate information, then we will send an invoice to you detailing the amount due.  You will pay the amount due in full within seven days after the date of the invoice.  You will notify us of any changes to your account information or termination of your authorization at least 30 days before the next billing date.  If payment dates fall on a weekend or holiday, you understand that the payments may be executed on the next business day.

8.3.           We may, without liability, disable the password, account, or access to all or part of the Service if any Fees and Taxes are not paid within 45 days of when they first become due and payable.  We will not be obligated to provide any Service until all Fees and Taxes are paid in full.

8.4.           If you have a bona fide dispute concerning any portion of the Fees invoiced, you will pay all invoiced Fees and Taxes and thereafter provide us with notice of the dispute within 30 days from the date of the invoice.  This notice will set forth the details surrounding the dispute.       You waive the right to dispute any Fees not disputed within 30 calendar days after the date of invoice.  We will discuss the disputed Fees within five calendar days of the date of the notice.  When the dispute is resolved, (1) if a payment is owed to us, the payment will be made within 10      business days of the dispute resolution or (2) if an amount is owed to You, we, in our sole discretion, will either (a) credit the amount to your account within      10      business days of dispute resolution (or within such other timeframe as mutually agreed on in writing), or (b) apply a pro-rated credit amount to your account for the remainder of the then-current term.  All negotiations under this subsection will be treated as confidential compromise and settlement negotiations.  Nothing said or disclosed, nor any document produced, during the negotiations which is not otherwise independently discoverable will be disclosed to any third party nor offered or received as evidence or used for impeachment or for any other purpose in any current or future arbitration or litigation. 

9.      No Legal Advice; Electronic Communication.

9.1.           We are not a law firm, and the Service does not provide any legal advice.  Part of the Service may involve the making of contracts or other legal relations, and      although we attempt to make sure our information is accurate and useful, we recommend that you consult with a lawyer if legal advice is required. 

9.2.           You will receive various electronic communications from us during your use of the Service.  For contractual purposes, you (1) consent to receive communications from us in electronic form; and (2) agree that all communication that we provide to you electronically satisfy any legal requirement that a communication would satisfy if it were to be a written, hard copy. This will not affect your non-waivable rights.

9.3.           You understand that the public Internet is inherently insecure and that any devices connected directly or indirectly to it are potentially reachable by sophisticated hackers and their tools.  You also understand that, given the number of individuals, contractors, and third parties who interact with your internal systems, it is inevitable that, eventually, there will be some type of compromise.  The Service is designed to prepare you for when a compromise occurs by establishing a security program with a central portal for artifacts, policies, documents, and actions      to help prepare you to defend yourself under the NIST CSF open standards and guidelines.  No Service Level Agreements are offered absent an upgrade to our Business or Enterprise Class Service.

10.  Disclaimer of Warranties and Limitation of Liability.

10.1.        YOUR USE OF THE SERVICE AND ANY DOCUMENTATION IS AT YOUR SOLE RISK.  THE SERVICE AND DOCUMENTATION ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS.  WE AND OUR SUPPLIERS AND LICENSORS EXPRESSLY DISCLAIM ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.  WE DO NOT GUARANTEE THE ACCURACY, COMPLETENESS, OR USEFULNESS OF THE SERVICE OR DOCUMENTATION.  ANY MATERIAL THAT YOU OR YOUR USERS ACCESS OR OBTAIN THROUGH THE SERVICE IS DONE AT YOUR OWN DISCRETION AND RISK.  YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTERS OR LOSS OF DATA THAT RESULTS FROM THE DOWNLOAD OF ANY MATERIAL THROUGH THE SERVICE.  WE DO NOT REPRESENT, WARRANT, OR COVENANT THAT THE SERVICE AND DOCUMENTATION WILL BE AVAILABLE WITHOUT INTERRUPTION OR TOTALLY ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED.  SOME STATES MAY PROHIBIT A DISCLAIMER OF WARRANTIES AND YOU MAY HAVE OTHER RIGHTS THAT VARY FROM STATE TO STATE.

10.2.        WE AND OUR SUPPLIERS AND LICENSORS WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES      (EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF THOSE DAMAGES), THAT RESULT FROM      USE OF THE SERVICE OR DOCUMENTATION.  UNDER NO CIRCUMSTANCES WILL OUR TOTAL AND CUMULATIVE LIABILITY (INCLUDING THAT OF OUR SUPPLIERS AND LICENSORS) FOR DIRECT DAMAGES THAT ARISE OUT OF OR IN CONNECTION WITH THE SERVICE OR OTHERWISE (INCLUDING WARRANTY CLAIMS), REGARDLESS OF THE FORUM AND REGARDLESS OF WHETHER BASED ON CONTRACT, TORT, OR OTHERWISE, EXCEED THE AMOUNTS, IF ANY, THAT YOU HAVE PAID TO US IN THE 12 MONTHS IMMEDIATELY PRECEDING THE DATE OF THE CLAIM.  THIS SECTION IS FUNDAMENTAL, AND ITS SPECIFIC REQUIREMENTS WILL BE CONSIDERED THE BASIS OF THE BARGAIN BETWEEN US.  WE WOULD NOT BE ABLE TO PROVIDE THE SERVICE OR PERFORM OUR OBLIGATIONS WITHOUT YOUR AGREEMENT TO THESE TERMS.

11.  Indemnity.

You will indemnify, defend, and hold us, and our respective subsidiaries, affiliates, officers, agents, employees, representatives, and assigns      harmless from and against any costs, damages, expenses, losses,        demands, and liabilities, including reasonable attorney fees, that relate to any claim (“Claim”) arising out of (1) you and your User’s acts or omissions; (2) you and your User’s use of the Service; or (3) our use of your Content that constitutes an infringement, violation, trespass, contravention or breach of any patent, copyright, trademark, license or other property or proprietary right, or constitutes the unauthorized use or misappropriation of any trade secret.  We reserve the right to assume the exclusive defense and control of any matter otherwise subject to indemnification by you, in which event, you will assist and cooperate with us in asserting any available defenses.  You will not settle any such matter without our prior written consent.

12.  Term and Termination.

12.1.        Unless otherwise terminated under this Section, the ToS will be in effect (“Term”) starting on the date that you first use the Service and continuing for the period in the applicable Proposal (“Term”).  You may request to make changes to your annual payments (i.e., reduction of      plan, removal of add-ons, etc.) at least 90 days before the end of the then-current Term.  Your Subscription will automatically renew on an annual basis unless you provide us with written notice of intent to not      renew at least 30 days prior to the end of the then-current Term.  We may or may not forward a renewal notice.  Price changes based on the Consumer Price Index may be given 30 calendar days prior to the change.

12.2.     If one of us materially breaches the ToS or any Proposal (“Defaulting Party”) and does not cure the breach within 30 calendar days after it has received notice of the breach, the non-defaulting party may terminate Service immediately thereafter on notice to the Defaulting Party.  Termination will be without prejudice to any other rights and remedies that the non-defaulting party may have at law or in equity.

12.3.     Either party may terminate Service if the other becomes Insolvent.  For this purpose, “Insolvent” or “Insolvency” means a party makes an assignment for the benefit of creditors, has a receiver, trustee, custodian (or similar party) appointed or designated to administer its affairs or otherwise take control of its assets or business operations, becomes a debtor in a voluntary proceeding under any chapter of the U.S. Bankruptcy Code or any other law or statutory scheme relating to insolvency, reorganization or liquidation, or an involuntary petition in bankruptcy, or other insolvency proceeding, is filed against the party and is not dismissed within 90 calendar days after it is filed.

12.4.     Either party may terminate Service effective immediately on notice to the other party if the other ceases to do business or otherwise ends its business operations without a successor.

12.5.     On termination, you will pay all outstanding Fees, Taxes, charges, and expenses owed under the ToS or the applicable Proposal as if termination had not occurred.  For the avoidance of doubt, any pre-paid Fees and Taxes are non-refundable.    

13.  Confidentiality.

13.1.     “Confidential Information” means any non-public data, information, and other materials regarding a party’s products, services, or business (and, if the party is bound to protect the confidentiality of a third party’s information, of the third party) where the information is marked or otherwise communicated as being “proprietary” or “confidential” or the like, or where the information should, by its nature, be reasonably understood to be confidential or proprietary.  For clarification, Confidential Information includes “Personal Data,” Personally Identifiable Information, Personal Information, or similar terms as defined under applicable data protection laws.  The party disclosing Confidential Information is referred to as the “Discloser” and the party receiving Confidential Information is referred to as the “Recipient.”

13.2.     Confidential Information will not include information that (1) is already or becomes known to the Recipient before disclosure by the Discloser or independently of the Recipient’s knowledge of the Confidential Information and is not subject to an obligation of confidentiality; (2) is independently developed by the Recipient without use of or reference to the Discloser’s Confidential Information; (3) is rightfully obtained by the Recipient without breach of the ToS or from a third party without restriction as to disclosure, or is approved for release by written authorization of the Discloser; or (4 ) was lawfully and demonstrably in the possession of the Recipient without use of or reference to the Discloser’s Confidential Information.

13.3.     A Recipient will not use or disclose the Confidential Information of the Discloser for any purpose other than as necessary and appropriate to perform its obligations under the ToS.  The Recipient will cause its officers, directors, employees, agents, affiliates, and subcontractors (collectively “Representatives”) who receive Confidential Information to comply with the ToS and will bear full responsibility for any failure to comply with the ToS.  A Recipient will not transfer or disclose any Confidential Information to any third party without the Discloser’s prior written consent and without the third party having a contractual obligation (consistent with this Section) to protect and keep the Confidential Information confidential.  A Recipient will treat all Confidential Information of the Discloser in the same manner as it treats its own similar proprietary information, but in no case less than with reasonable care. 

13.4.     If a Recipient is requested or required to disclose any of a Discloser’s Confidential Information under a subpoena, court order, statute, law, rule, regulation or other similar requirement (“Legal Requirement”), the Recipient will, if lawfully permitted to do so, provide prompt notice of the Legal Requirement to the Discloser so that the Discloser may seek an appropriate protective order or other appropriate remedy.  If the Discloser is unsuccessful and the Recipient is legally compelled to disclose the Confidential Information, or if the Discloser waives compliance with the ToS in writing, the Recipient may disclose, without liability, any Confidential Information solely to the extent necessary to comply with the Legal Requirement.

13.5.     Insofar as User Data constitutes Personal Data (or any related term) under applicable data protection laws, Recipient will, taking into account the nature of the processing, assist Discloser by (1) implementing appropriate technical and organizational measures, (2) ensuring its compliance with legal obligations, and (3) make available to the Recipient all information necessary to demonstrate lawful compliance.

13.6.     Ownership of Confidential Information (including all Intellectual Property rights) in any materials owned by a party will remain exclusively with that party.  Except as expressly stated to the contrary, nothing in the ToS will imply that any right or license in respect of Intellectual Property is being granted to the other party.

13.7.     On a Discloser’s written request, a Recipient will return to the Discloser all copies of Confidential Information already in its possession or within its control.  However, a Recipient may keep copies of any records it is required to retain by law or regulation, or copies retained as part of the Recipient’s backup or record retention process, all of which will remain subject to these confidentiality terms.  Alternatively, with Discloser’s prior written consent, the Recipient may destroy the Confidential Information if it is (1) destroyed in accordance with applicable law, rule or regulation, and (2) is rendered unreadable, undecipherable and otherwise incapable of reconstruction, in which case an officer of the Recipient will certify in writing to the Discloser that it has been so destroyed.  The obligations regarding Confidential Information, in this Section will continue in force and effect for a period of five years after termination or expiration of the ToS.  Notwithstanding the foregoing, Confidential Information that is a trade secret of the Discloser will be subject to the ToS for as long as it remains a trade secret.

13.8.     Both parties acknowledge that a breach of this Section may result in irreparable and continuing damage to a Discloser for which monetary damages may be insufficient.  A Discloser may seek, in addition to its other rights and remedies under the ToS or at law, injunctive or other equitable relief from a court of competent jurisdiction.  This Section will survive the expiration or termination of the ToS.

14.  Miscellaneous.

14.1.     All executed Proposals are incorporated into and made a part of the ToS, which is the entire agreement between us concerning its subject matter.  The ToS may only be modified by a written amendment signed by an authorized executive of each party.  Any prior agreements or representations, either written or oral, relating to the subject matter of the ToS are of no force or effect.

14.2.     Except to the extent applicable law provides otherwise, the ToS and your access to and use of the Service will be governed by the laws of the State of California, U.S.A., excluding its conflict of law provisions.  Except for claims for injunctive or equitable relief or claims regarding Intellectual Property rights (which may be brought in any competent court without the posting of a bond), any dispute between us will be finally settled under the Comprehensive Arbitration Rules of the Judicial Arbitration and Mediation Service, Inc. (“JAMS”) by three arbitrators appointed in accordance with the Jams’ rules.  The arbitration will take place in Sacramento, California, in the English language, and the arbitral decision may be enforced in any court.  The prevailing party in any action or proceeding will be entitled to costs and attorneys’ fees.

14.3.     If any part of the ToS is held invalid or unenforceable by a court of competent jurisdiction, that part will be construed to reflect the parties’ original intent, with the remaining provisions remaining in full force and effect.  A waiver by either party of any term or condition in the ToS, or any breach thereof, in any one instance, will not waive the term or condition or any subsequent breach.

14.4.     You may not assign or transfer any of your rights or obligations under the ToS without our express, written consent.  We have the right to assign this contract and its revenue as required for our business operations.  The ToS will be binding on and will inure to the benefit of the parties’ successors and permitted assigns.

14.5.     No waiver by either of us of a breach or default, or failure to exercise any right allowed under the ToS, is a waiver of any preceding or subsequent breach or default or a waiver or forfeiture of any similar or future rights.

14.6.     Our relationship is and will continue to be that of independent contractors.  The employees of neither party will be entitled to receive employee benefits from the other party or have any authority to act or purport to act on the other’s behalf. 

14.7.     All notices will be in writing and sent as set forth below, or to such other addresses as may be designated by a party in writing.  Notices will be deemed received when (1) delivered personally; or (2) one day after deposit with a commercial express courier specifying next day delivery, with written verification of receipt.

IF TO YOU:	IF TO US:
To the address you provided when signing up for the Service.	Omnistruct, Inc. Attn: Legal Dept. 2740 Fulton Ave. Suite 111-02,  Sacramento, CA 95821 With a copy to: [email protected]

14.8.     Any provision of the ToS or a Proposal which, by its nature, would survive termination will survive termination.

14.9.     Neither of us will be liable for any failure to perform, or delay in performing, an obligation where the failure or delay arises from a cause beyond our reasonable control (“Force Majeure Event”).  If a Force Majeure Event occurs, the parties will meet and discuss how to resolve the issue.  Either party may terminate the Service and the applicable Proposal by giving the other notice if the defaulting party fails to perform its obligations for three continuous months due to a Force Majeure Event.  This subsection does not apply to Section 13, any obligation to pay money, or any other obligation that is unaffected by the Force Majeure Event.

14.10.  We have negotiated the ToS, and each party’s legal counsel has had the opportunity to review it.  Any rule of construction or interpretation requiring      resolution of any ambiguities against the drafting party will not apply in the construction or interpretation of the ToS.

14.11.  The Service we provide is not exclusive, and we may provide it to others.

14.12.  The headings and titles of the Sections of the ToS are not part it but are for convenience only.  They are not intended to define, limit, or construe the contents of these provisions.  As used in the ToS, the term “including” means by way of example and not limitation. 

15.  Scope, Schedule and Resources.

15.1.     Customer understands that, unless otherwise contracted, all services exclude active recovery services, business continuity services, privacy programs, Third Party Risk Management programs, legal services, or guarantees that Customer will achieve full risk transfer or full statutory or regulatory compliance in the deliverables;

15.2.     Customer understands that no royalty free licensed software products will be included in the delivery of services;

15.3.     Omnistruct is not responsible for delays caused by failures or Customer rescheduling, including but not limited to: failures caused by systems, personnel or environmental causes, or in using incorrect or insufficient data provided by Customer;

15.4.     Omnistruct will not be responsible for direct, or indirect, network or application performance during scans in electronic testing;

15.5.     Customer will provide to each Omnistruct Consultant appropriate logical and physical facility access to Customer assets for any one-time projects and designate primary points of contact for Customer relevant sites and departments as needed for work effort;

15.6.     All task and project actions requiring “hands on keyboard” action, as well as corrective projects and budgets, will be the responsibility of Customer and require a change order for inclusion or support of task and project actions by Omnistruct and its affiliates;

15.7.     Unless otherwise contracted, all work, remediation actions, projects, and budgets resulting from Omnistruct recommendation will be the responsibility of Customer;

15.8.     All work will be performed 8:00 AM to 5:00 PM Pacific Time Monday through Friday, and all, or part, of work effort may be delivered remotely unless otherwise specified in the project plans developed by Omnistruct and Customer;

15.9.     All security policy will be governed by the designated framework(s) unless otherwise contracted. If additional frameworks, standards of compliance, or statutory requirements are discovered and requested by Customer, a change order will be required;

15.10.  Customer understands that vulnerability assessments performed independently by Customer, or through third party IT service providers or tooling, may also be used as artifacts for security policy and compliance for Omnistruct oversight and approval of action and attestation;

15.11.  Customer understands that OMNI* SKUs, when contracted, may be delivered by Omnistruct Inc affiliate, in tandem with Omnistruct’s subscription for separation of risk in hands-on-keyboard, audit, and burden of proof in evidence collection;

15.12.  Customer understands that any software code or scripts developed or owned by Customer requires a separate framework, specialized penetration testing, and, unless otherwise contracted, is out of scope;

15.13.  Customer understands that changes in Customer personnel may impact scope, schedule, or resource requirements that will result in a change order;

15.14.  Customer understands that contracted managed detection and response services may impact Customer’s cyber insurance agreements unless Omnistruct and its Affiliates are placed “on panel” with Customer insurance provider;

15.15.  Customer understands that any Strategic Risk Assessment, data protection review, or framework/program procedural discovery may uncover gaps that may require additional investment in frameworks or programs.