Policies

1. Introduction

HackRisk.AI is a threat detection service provided by CyberLab that provides a comprehensive, automated analysis of the cyber exposure of a customer’s digital assets, to identify potential security weaknesses and provide actionable insights.

By indicating your acceptance of the Agreement or accessing or using the Service, Customer agrees to be bound by the terms and conditions of the Agreement. Each party expressly agrees that the Agreement is legally binding upon it. Defined/capitalised terms have the meaning given in clause 15 of these Terms of Service. CyberLab may modify the Agreement from time to time as permitted in clause 14.4 (Modifications to Agreement).

Purchase from Reseller: If Customer purchases the Service from an authorised reseller of CyberLab (“Reseller”), Customer’s use of the Service will be governed by the Agreement, subject to clause 14.12 (Reseller Orders) below.

2. The Service
   • Use of Service. Subject to payment of the Fees, CyberLab grants to Customer a non-exclusive, non-transferable right during the Term to access and use the Service (including the Reports) solely for use by Customer and its Users. Customer’s use of the Service must be in accordance with the Agreement and any reasonable instructions provided to Customer by CyberLab.
   • Compliance with Applicable Law. CyberLab will provide the Service in accordance with CyberLab’s obligations under Applicable Law (applicable to CyberLab’s provision of the Service to CyberLab’s customers generally).
   • Restrictions on use of Service. To the maximum extent permitted by law, and except as expressly granted in the Agreement or where a normal feature of the Service used in accordance with the Agreement otherwise permits, Customer shall not (and will procure that Users will not): (a) copy, reproduce, publish, distribute, broadcast, transmit, modify, adapt, edit, abstract, store, archive, display publicly or to a third party, sell, license, lease, rent, assign, transfer, disclose (in each case whether or not for charge) or in any way commercially exploit any part of the Service; (b) permit use of the Service in any manner by a third party (including permitting use in connection with any timesharing or service bureau, outsourced or similar software to third parties or making the Service (or any part) available to any third party, or allow or permit a third party to do any of the foregoing); (c) combine, merge or otherwise permit the Service to become incorporated in any other program or similar software, or arrange or create derivative works based on it (in whole or in part); (d) attempt to scrape, data mine, reverse engineer, or test the functioning of or decompile the Service (or any part) or otherwise seek to obtain the source code or non-public APIs of the Service, except to the extent expressly permitted by Applicable Law (and then only with prior notice to CyberLab); (e) remove or obscure any proprietary or other notices contained in the Service; (f) use the Service to develop a similar or competing product or service; (g) use the Service to store or transmit viruses or material which contains illegal content, (h) resell any of the Service without CyberLab’s express written consent; or (i) use or access the Service from within any Prohibited Territory or as a Prohibited Entity. Customer agrees to comply with all applicable export control and sanctions laws and regulations, including refraining from transferring, exporting, or re-exporting the Service or any related technology or software to any Prohibited Entity or Prohibited Territory. In the event that Customer or any User becomes a Prohibited Entity or accesses the Service from a Prohibited Territory, CyberLab may immediately suspend or terminate access to the Service under Clauses 13.5 (Suspension of the Service) and 13.1 (Termination for cause), without liability. The parties agree that the list of Prohibited Entities and Prohibited Territories may be updated from time to time to reflect changes in applicable sanctions and embargoes by relevant authorities, and such updates shall be binding upon Customer.
   • Trial Service. Customer may access the Service as a Trial Service. The Trial Service will last for 14 days. If Customer does not activate a paid subscription within this 14 day period then the Trial Service will expire and access to the Service is revoked The Trial Service is subject to the terms of the Agreement, unless otherwise notified by CyberLab. Either party may terminate Customer’s use of any Trial Service before the end of the 14 day period for any reason.
   • Updates to Service. Customer acknowledges that CyberLab will be entitled to change and update the Service, using reasonable endeavours to ensure that any such modification does not materially adversely affect Customer’s use of the Service.
3. Users
   • Permitted Only Users may access or use the Service. Customer is responsible and liable for its Users’ actions through the Service and for their compliance with the Agreement. Customer will ensure that Users keep their login credentials and password confidential and will promptly notify CyberLab upon learning of any compromise of User accounts or credentials. Customer shall procure that each User is aware of, and complies with, the obligations and restrictions imposed on Customer under the Agreement. CyberLab uses User account information as described in its Privacy Policy – https://cyberlab.co.uk/policies/.
   • Unauthorised Customer will use all reasonable endeavours to prevent any unauthorised access to, or use of, Service, and in the event of any such unauthorised access or use, promptly notify CyberLab.  CyberLab may reasonably audit Users’ use of the Service to ensure it is in compliance with this Agreement.
   • Age Requirement for Users. The Service is not intended for, and may not be used by, anyone under the age of 16. Customer is responsible for ensuring that all Users are at least 16 years old.
4. Term and Renewals. The Agreement is effective on the Start Date and will continue for the Plan Term.  On expiry of the Plan Term (whether a monthly or 12-month Plan Term), the Agreement will continue on a rolling monthly basis. Customer may cause the Agreement to not renew by giving CyberLab no less than 30 days’ written notice, and such notice will take effect at the end of the month following the month in which notice was given.
5. Fees
   • Fees are payable monthly during the Plan Term, or as otherwise agreed between the parties in the Order. Other than as set out in the Agreement, all payment obligations are non-cancellable, and Fees are non-refundable once invoiced.  Customer will be liable for all Fees until the end of the Term. CyberLab is entitled to increase the Fees at any time by giving 30 days’ written notice to Customer, provided that such increased Fees will (a) not be higher than CyberLab’s then-current standard rates and (b) will not take effect before expiry of the then-current Plan Term (or renewal). No Fees will be payable for the Trial Service unless otherwise agreed in writing.
   • Invoicing and payment. Customer agrees that CyberLab may charge Customer’s credit card or other payment method that has been provided by Customer for the Fees, the approved expenses, and any other unpaid Fees, as applicable.  Where agreed, CyberLab will invoice Customer for the agreed Fees and Customer may pay the Fees by electronic funds transfer.  CyberLab does not accept payment by cheque. Customer may change its payment method information by entering updated information through the Service portal.  Unless otherwise specified in the relevant Order, all Fees and any approved expenses will be paid by Customer in full and without deduction within 30 days of the date of the relevant invoice. Late payments are subject to a service charge of 1.5% per month or the maximum amount allowed by Applicable Law, whichever is less. Customer is responsible for any sales, use, goods, and Service, value-added, withholding, or similar taxes or levies that apply to its Orders, whether domestic or foreign (“Taxes”), other than taxes based on CyberLab’s net income, property, or employees. Fees and expenses are exclusive of Taxes.
6. Warranties and disclaimers
   • Limited CyberLab warrants that: (a) the Service will operate materially in accordance with its description on the website when used in accordance with the Agreement and under normal circumstances during the relevant Term; and (b) CyberLab will not materially decrease the functionality of the Service during the Term.
   • Warranty Remedy. If CyberLab breaches a warranty in clause 1, and Customer makes a reasonably detailed warranty claim within 30 days of discovering the issue, CyberLab will use reasonably commercial efforts to correct the issue or provide Customer with substitute Service.  If CyberLab cannot so within 60 days of Customer’s warranty claim, either party may terminate the applicable Service, and Customer, as its sole remedy, will be entitled to receive a refund of any unused Fees that Customer has pre-paid for the applicable Service after the date of termination. The warranties in clauses 6.1 will not apply to the extent that any error arises as a result of (as applicable): (a) incorrect operation or use of the Service by Customer or a User; (b) use of the Service with other software or Service or on equipment with which it is incompatible or that are provided by a third party; (c) any unapproved modification of the Service; (d) a Trial Service; or (e) a breach of the Agreement by Customer (or by any User). This clause 6.2 sets out Customer’s sole and exclusive remedies, and CyberLab’s sole and exclusive liability, for any breach of the warranties in clause 6.1.
   • Other than as expressly stated in the Agreement, the Service are provided ‘as is’ and without warranty, whether express or implied, statutory or otherwise, to the maximum extent permitted by law.  Customer  agrees  that  its  purchase of the Service  is  not  contingent  on  the  delivery  of  any  future  functionality  or  features,  or  dependent on any oral or written public comments made by CyberLab regarding future functionality or features. Customer acknowledges that CyberLab accepts no liability or obligation that the Service will: (a) meet Customer’s individual needs or purpose, whether or not such needs/purpose have been communicated to CyberLab; (b) ensure that a Customer’s system is completely secure against cyber-attacks (even if the Customer’s  Report includes a high Hack Risk score); (c) scan the Customer IT infrastructure without any impact on its infrastructure; (d) discover all Customer Content on the dark web; or (f) be free of minor errors or defects.
7. Intellectual property and publicity
   • CyberLab IP. Other than as expressly stated in the Agreement, neither party grants the other any right, title or interest.  CyberLab (or its licensor(s), as applicable) owns all Intellectual Property Rights in and to the CyberLab Technology. Customer acknowledges that the Service is offered as an online, hosted solution, and therefore Customer has no right to obtain a copy of the underlying computer code of the Service.
   • Customer IP. Customer (or its licensor(s), as applicable) owns all Intellectual Property Rights in and to Customer Content (at all times excluding any CyberLab Technology). Customer grants CyberLab a limited, royalty-free, non-transferable, non-exclusive licence to use, copy, store, transmit, and display Customer Content (including making copies, modifying and creating derivative works) to the extent necessary for CyberLab to perform the Service for the benefit of Customer.
   • CyberLab may freely use and incorporate into its Service any suggestions, enhancement requests, recommendations, corrections, or other feedback provided by Customer or by any Users relating to the Service (“Feedback”), it being acknowledged that any such Feedback will form part of CyberLab’s proprietary Service and products and will be owned exclusively by CyberLab.
   • Usage Data. Subject to its obligations under clause 10, CyberLab may collect and use Usage Data to develop, improve, support, and operate its products and Service.  CyberLab will not share any Usage Data with a third party unless such data is aggregated and anonymized such that Customer and the Users cannot be identified, except where such data is shared with a third party that reasonably needs to identify Customer or Users as part of that third party’s role in the provision of the Service to Customer.
8. Confidentiality
   • Each party that receives Confidential Information will: (a) maintain the confidentiality of the Confidential Information and will not disclose it to third parties excepted as permitted in the Agreement; and (b) not use the Confidential Information other than as necessary for the performance or receipt of the Service.  The receiving party may disclose the Confidential Information to its employees, agents, contractors, and sub-contractors that have a legitimate need to receive such information.  Receiving party shall remain responsible to the other party for the compliance with this clause 8 of such persons and undertakes that such persons will be bound to confidentiality obligations no less protective than this clause 8.
   • Excluded information. The provisions of this clause 8 will not apply to information that the receiving party can demonstrate: (a) becomes publicly known through no fault of the receiving party, its employees, agents, contractors, or sub-contractors; (b) is lawfully received by receiving party from a third party free of any obligation of confidence at the time of its disclosure; (c) is independently developed by the receiving party without using the disclosing party’s Confidential Information; or (d) is required by law, by court or governmental or regulatory order to be disclosed.
9. Customer Content and Reports
   • Customer Content. Customer licenses Customer Content to CyberLab under clause 2. In the event of any loss or damage to Customer Content, Customer’s sole and exclusive remedy against CyberLab will be for CyberLab to use reasonable commercial endeavours to restore the lost or damaged Customer Content from the latest back-up of such Customer Content maintained by CyberLab in accordance with its archiving procedures.
   • Reports may be viewed within, or exported from, the Service portal during the Plan Term.
   • Deletion or return. After termination of the Agreement, CyberLab will close Customer’s account and, at the choice of the Customer, either delete or return Customer Content and Reports in the portal that contains personal data, after which all Customer Content and Reports are deleted permanently and cannot be retrieved.
10. Data Protection and Security
    • Data protection. Each party undertakes to comply with its obligations under relevant applicable data protection laws, principles and agreements. To the extent that personal data is processed when the Customer or Users use the Service, the parties acknowledge that CyberLab is a data processor, and the Customer is a data controller and the parties shall comply with their respective obligations under the terms of CyberLab’s data processing addendum found at Schedule 1. Where CyberLab collects and processes personal data of the Customer, as a data controller, when providing the Service, such collection and processing shall be in accordance with the Privacy Policy – https://cyberlab.co.uk/policies/.
    • CyberLab will implement appropriate technical and organisational security measures to protect the Service and Customer Content in accordance with Applicable Law.
11. Indemnity
    • CyberLab indemnity. CyberLab will defend, indemnify and hold Customer harmless from and against all claims, losses, damages, fines, expenses and liability incurred by Customer (including court costs and reasonable legal costs) resulting from any claim by a third party that the Service infringes the Intellectual Property Rights of that third party. CyberLab will have no liability under this clause 1, in respect of any claim which arises in whole or in part from: (a) any modification of the Service other than by CyberLab; (b) use or integration of Customer Content or any materials not provided by CyberLab; (c) use of the Service (or any part) by Customer otherwise than in accordance with the Agreement; or (d) the combination of the Service with products or processes not provided by CyberLab. This clause sets out Customer’s sole remedy with respect to any claim of Intellectual Property Rights infringement in relation to the Service.
    • Customer indemnity. Customer will defend, indemnify and hold CyberLab harmless from and against all claims, losses, damages, fines, expenses and liability incurred by CyberLab (including court costs and reasonable legal costs) resulting from any claim by a third party arising from any Customer Content.  The indemnification obligation of Customer in this clause 2 will not apply to the extent the applicable claim is attributable to unauthorised use or modification by CyberLab of Customer Content.
    • Indemnification Procedures. In the event of a potential indemnity obligation under the Agreement, the indemnified party will: (a) promptly (and in any event within five Business Days) notify the indemnifying party in writing of any actual or threatened claim; (b) make no comment or admission and takes no action that may adversely affect the indemnifying party’s ability to defend or settle the claim; (c) provide all assistance reasonably required by the indemnifying party; and (d) give the indemnifying party sole authority to control, defend or settle the claim. Any indemnification obligation under the Agreement will not apply if the indemnified party settles or makes any admission with respect to a claim without the indemnifying party’s prior written consent.  Nothing in the Agreement will restrict or limit either party’s general obligation at law to mitigate a loss it may suffer or incur as a result of an event that may give rise to a claim under the indemnification obligations in the Agreement.
12. Limitation of liability
    • The parties acknowledge that the Fees payable by Customer are based in part on the limitations in this clause 12 and further agree that these limitations will apply notwithstanding any failure of essential purpose of any limited remedy.
    • Liability cap. Subject to clause 4 and except with respect to (a) a party’s liability under the indemnities in clauses 11.1 and 11.2, (b) either party’s breach of clause 8 (Confidentiality), and (c) Fees owed by Customer to CyberLab, each party’s total aggregate liability in respect of any loss or damage suffered by the other party (whether due to breach of contract, tort (including negligence) or otherwise) under or in connection with the Agreement or the Service, will not exceed the higher of £100 or the value of the Fees under the relevant Order paid or payable by Customer to CyberLab in the 12-month period immediately preceding the first incident giving rise to the relevant claim. CyberLab’s total aggregate liability in respect of any Trial Service (howsoever arising under or in connection with the Agreement) will not exceed £100 (GBP one hundred).
    • Excluded losses. Subject to clause 4, neither party will be liable in respect of the Service (howsoever arising under or in connection with the Agreement) for: (a) consequential, indirect or special losses; or (b) any of the following (whether direct or indirect): loss of profit; destruction, loss of use or corruption of data; loss of use; loss of contract; loss of opportunity; and/or harm to reputation or loss of goodwill. Customer assumes sole responsibility for results obtained from its use of Service, and for conclusions drawn from such use.
    • Unlimited liability. Notwithstanding any other provision of the Agreement, neither party’s liability will be limited in any way in respect of the following: (a) death or personal injury caused by its negligence; (b) fraud or fraudulent misrepresentation; or (c) any other losses which cannot be excluded or limited by Applicable Law.
    • Third party Service. Customer acknowledges that CyberLab provides no warranty for and will have no liability to Customer in relation to any third party service, product, or content that is accessed by or linked to the Service (all of which is provided “as is”).
13. Termination
    • Termination for cause. Either party may terminate the Agreement immediately at any time by giving notice in writing to the other party if: (a) the other party commits a material breach of the Agreement and such breach is not remediable; (b) the other party fails to remedy a material breach of the Agreement (including non-payment of Fees) within 15 days of written notice; (c) ceases operation without a successor; or (d) seeks protection under a bankruptcy, receivership, trust deed, creditors’ arrangement, composition or comparable proceeding, or if such a proceeding is instituted against that party and not dismissed within 60 days.
    • Termination for convenience. CyberLab may terminate this Agreement at any time for any reason upon 90 days’ notice to Customer and will refund any pre-paid Fees. Customer may terminate this Agreement at any time for any reason by cancelling the Service in writing, provided: (a) Customer will not be entitled to a refund of any pre-paid Fees and (b) if Customer has not already paid all applicable Fees for the then-current Term, any such Fees that are outstanding will become immediately due and payable.
    • Effect of termination. Immediately on termination or expiry of the Agreement (for any reason), the rights granted by CyberLab under the Agreement will terminate and Customer will (and will procure that each User will) stop using the Service. Termination or expiry of the Agreement will not affect any accrued rights and liabilities of either party at any time up to the date of termination or expiry.
    • Surviving clauses. The following clauses will survive any expiration or termination of the Agreement: 3 (Restrictions on use of Service), 3 (Responsibility for Users), 6.3 (Warranty Disclaimer), 5 (Fees), 7 (Intellectual Property), 8 (Confidentiality), 9.2 (Security), 11 (Indemnity), 12 (Limitation of Liability), 14 (General), 15 (Definitions), and any other clauses that expressly or by implication are intended to continue beyond termination.
    • Suspension of the Service. CyberLab may suspend access to the Service to all or some of the Users if: (a) Customer breaches clause 2, 2.3, or 3; (b) CyberLab reasonably suspects that Customer’s or User’s actions threaten the confidentiality, integrity or availability of the Service; (c) overdue Fees have not been paid within 14 days’ of the relevant due date; or (d) required by law or at the request of governmental entities. CyberLab will provide notice of suspension as is commercially reasonable under the circumstances. Where any of the above events has been cured, CyberLab will, without undue delay, reinstate the affected the Service.
14. General
    • Authority. Each party represents and warrants to the other that it has: (a) the right, power and authority to enter into an Order and to perform its obligations under the Agreement; and (b) all necessary rights, licences and consents to grant to the other the rights (if any) as set out in the Agreement.
    • Entire agreement. The Agreement (and each Order) constitutes the entire agreement between the parties and supersedes all previous agreements, understandings, and arrangements between them in respect of its subject matter, whether in writing or oral.  If Customer issues a purchase order in relation to the Order: (a) such purchase order will be for Customer’s internal or administrative purposes; and (b) no additional order terms will apply to the Order or the Fees.
    • Notices and other communications under the Agreement will be sent by email to: (a) in the case of those to CyberLab, to Chess Cybersecurity Limited: [email protected] and (b) in the case of notices to Customer, to any email or physical address notified to CyberLab. This clause 14.3 does not apply to notices given in legal proceedings or other dispute resolution proceedings, for which email alone is not valid. Legal notices to be sent to: FAO The Legal Department, Chess Cybersecurity Limited, whose registered office is at Bridgford House, Heyes Lane, Alderley Edge, Cheshire SK9 7J with cc to [email protected].
    • Modifications to CyberLab may modify these Terms of Service and its standard Service pricing and plans from time to time. Unless a shorter period is specified by CyberLab by giving notice to Customer by email or through the Service, modifications become effective upon renewal of Customer’s current Term or entering into a new Order. If CyberLab gives notice that the modifications to the Agreement will take effect prior to Customer’s next renewal or Order, and Customer notifies CyberLab of its objection to the modifications as soon as possible and at least within 14 days after the date of such notice, CyberLab (at its option and as Customer’s exclusive remedy) will either: (a) permit Customer to continue under the existing version of the Agreement until expiration of the then-current Term (after which time the modified Agreement will go into effect) or (b) allow Customer to terminate the Agreement and receive a refund of any pre-paid Fees allocable to the terminated portion of the applicable Term. Customer may be required to click to accept or otherwise agree to the modified Agreement in order to continue using the Service, and, in any event, continued use of the Service after the updated version of the Agreement goes into effect will constitute Customer’s acceptance of such updated version.
    • No failure, delay, or omission by either party in exercising any right, power or remedy provided by law or under the Agreement will operate as a waiver of that right, power or remedy, nor will it preclude or restrict any future exercise of that or any other right, power or remedy.
    • Neither party may assign or otherwise transfer the Agreement (or any part of it) without the advance written consent of the other party, except by Cyberlab (a) in connection with a merger, reorganization, acquisition, or other transfer of all or substantially all of such party’s assets or voting shares to such party’s successor; and/or (b) to any Affiliate of Cyberlab. CyberLab will promptly provide notice of any such assignment or transfer. Customer hereby irrevocably agree in advance to provide its cooperation to such assignment or transfer and will perform any formality to complete such assignment or transfer. Any non-permitted assignment is void.
    • The Agreement does not establish any joint venture, partnership, trust, fiduciary or other relationship between the parties, other than the contractual relationship expressly provided for in it. The Agreement will not prevent CyberLab from entering into similar agreements with third parties, or from independently developing, using, selling or licensing documentation, products and/or Service which are similar to those provided under the Agreement.
    • Force majeure. Neither party will be in breach of the Agreement or otherwise liable to the other party for any delay in performance or non-performance of any of its obligations under the Agreement to the extent that the delay or non-performance is caused, in whole or in part, by an event of Force Majeure.  The corresponding obligations of the other party will be relieved or reduced to the same extent and where the relevant corresponding obligation relates to payment of a fixed amount, it will be apportioned appropriately.
    • Severability; headings. If any provision of these Terms of Service is held to be unenforceable or invalid, that provision will be limited to the minimum extent necessary so that the Terms of Service will otherwise remain in effect. Clause headings are inserted for convenience only and will not affect the construction of the Terms of Service.
    • Third party rights. A person who is not a party to the Agreement will not have any rights under the Contracts (Rights of Third Parties) Act 1999 or otherwise to enforce any of its provisions.
    • Governing law; Disputes. The Agreement is governed by the laws of England and Wales. The parties irrevocably agree that the courts of England shall have exclusive jurisdiction to settle any dispute or claim arising out of, or in connection with, the Agreement.
15. Definitions

Affiliate: an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a party. As used herein, own means the beneficial ownership of more than fifty percent (50%) of the voting equity shares or other equivalent voting interests of an entity and control means the power to direct the management or affairs of an entity.

Agreement: the agreement between the parties consists of these Terms of Service and any Orders.

Applicable Law: all local, state, federal and international laws, regulations and conventions relevant to the Service, including those related to data privacy.

Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

Confidential Information: information disclosed to the receiving party under the Agreement that is designated by the disclosing party as proprietary or confidential or that should be reasonably understood to be proprietary or confidential due to its nature and the circumstances of its disclosure (including information relating to the parties’ technology, know-how, Intellectual Property Rights, pricing, assets, finances, strategy, products and customers). CyberLab’s Confidential Information includes any technical or performance information about the Service. Customer’s Confidential Information includes Customer Content.

Customer: the legal entity or person placing an Order for and/or accessing the Service.

Customer Content: all text, information, data, software, executable code, images, audio or video material, computer files, or other materials in whatever medium or form that: (a) are provided to CyberLab by or on behalf of Customer or User; or (b) relates to the Customer, a User and/or their respective IT assets, and that CyberLab collects or discovers, each as part of the Service.

CyberLab: Chess Cybersecurity Limited, whose registered office is at Bridgford House, Heyes Lane, Alderley Edge, Cheshire SK9 7JP, company registration number 02962709.

CyberLab Technology: any software, tools, databases, data, methodologies or other materials that are owned by, or licensed from a third party to, CyberLab and that have been created independently of the Agreement (whether prior to the Start Date or otherwise), including: (a) the Service; (b) the technology behind the Service and their features; (c) Installed Software; (d) all proprietary tools, libraries, know-how, techniques and expertise used by CyberLab to provide the Service, and all related and underlying code, software, technology and documentation (including any derivative works, modifications, or improvements of any of the foregoing); and (e) all associated know-how.

Feedback: has the meaning given in clause 7.3.

Fees: the Fees payable by Customer to CyberLab for Customer’s and its User’s use of the Service, based on CyberLab’s standard Service pricing and plans from time to time and/or as set out in the relevant Order.

Force Majeure: an event or sequence of events beyond a party’s reasonable control preventing or delaying it from performing its obligations under the Agreement (provided that an inability to pay is not Force Majeure), including (a) an act of God, flood, storm, drought, earthquake, or other natural disaster; (b) adverse weather conditions; (c) any cause or event arising out of or attributable to war, civil commotion or terrorist activity (or threat thereof); (d) any law, or any governmental order, rule or regulation; (e) fire or explosion; (f) labour dispute including strikes, industrial action, lockouts or boycott; (g) a shortage of raw materials; (h) any matters relating to transfer of data over public communications networks and any delays or problems associated with any such networks or with the internet; and (i) any epidemic or pandemic, including the COVID-19 pandemic, and compliance with any applicable governmental guidelines designed to prevent the spread of the relevant disease.

Installed Software: program or other application that Customer is required to install on any device in order to receive the Service in respect of that Service.  

Intellectual Property Rights: patents, utility models, rights to inventions, copyright and neighbouring and related rights, moral rights, trade marks and service marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets) and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world, and Intellectual Property Rights include, without limitation, any Marks.

Marks:

1. any trade marks, trade names, service marks, trade dress, logos, URLs and domain names;
2. any identifying slogans and symbols;
3. any abbreviation, contraction or simulation of any of the items in paragraph (a) or paragraph (b); and
4. the “look and feel” of the brand of a party to the Agreement, whether or not registered.

Order: (a) an ordering document placing an order for Service signed by CyberLab; or (b) any form of request to access the Service that is confirmed or accepted by CyberLab in writing, including through the Service’s portal. Each Order is subject to and incorporates these Terms of Service.

party: each of CyberLab and Customer (together referred to as the “parties”).

Plan Term: the minimum period for which Customer agrees to subscribe to the Service, either a rolling-monthly term or a 12-month term, as detailed in the Order, commencing on the Start Date.

Prohibited Entity: any individual, entity, or person that is subject to trade or economic embargoes, sanctions, or other prohibitions imposed by the United States Government, the United Kingdom Government, the European Union, or any other applicable governmental or regulatory authority, including those designated as supporting terrorist activities.

Prohibited Territory: the following territories and any other country or regime that, from time to time, is embargoed, sanctioned, or designated as supporting terrorist activities by the United States Government, the United Kingdom Government, the European Union, or any other applicable governmental or regulatory authority: China, Crimea, Cuba, Donetsk People’s Republic, Iran, Russia, Belarus, Luhansk People’s Republic, North Korea, Syria, and Vietnam.

Report: a summary report on CyberLab’s findings from the Service, including a Hack Risk ‘score’. During the Plan Term, the Report is available during the Plan Term within the Service portal and Reports can be exported by Customer as a pdf report.

Service: means access to CyberLab’s ‘Threat Detect’ product and portal as software-a-service, as further described on the Service website https://www.hackrisk.ai/. The Services include: the Trial Service, exportable Reports, and (where applicable) the provision of the Installed Software. The features and details of the Service are determined by the plan chosen or subscribed for by Customer.

Start Date: means, (a) for the Trial Service, the date on which Customer activates its account for the Service and (b) for a paid subscription, the date on which Customer activates its account by submitting valid payment details.

Term: in respect of the Service, the total period for which Customer subscribes to the Service, being the Plan Term and all renewals of the Agreement.

Trial Service: the provision of Service on a trial basis and with limited functionality, including the provision by CyberLab of a free Report (with restricted results for the free report), as further detailed at clause 2.4.

Usage Data: any data (other than Customer Content) derived from the operation, support and/or use by Customer or Users of the Service, including configurations, log data, and the performance results for Service.

User: an individual who is permitted by the Customer to use the Service under the Customer’s account.

Schedule 1 – CyberLab Processing Addendum

This Data Processing Addendum (“DPA”) forms a part of the Agreement between CyberLab and Customer. This DPA applies where and only to the extent that CyberLab Processes Personal Data on behalf of Customer in the course of providing the Service.

1. For the purposes of this DPA, the following terms will have the meanings set out below. Capitalised terms not otherwise defined herein will have the meaning given to them in clause 15 of the Terms of Service.
   • “adequate country”, “controller”, “processor”, and “supervisory authorities” have the meanings given in the Data Protection Laws.
   • “Customer Personal Data” means any Personal Data Processed by CyberLab or a Sub-processor on behalf of Customer.
   • “Data Protection Laws” means any applicable local, national or international laws, rules and regulations related to privacy, security, data protection, and/or the Processing of Personal Data, as amended, replaced or superseded from time to time. This includes the EU/UK Data Protection Law.
   • “Data Subject” means the identified or identifiable person to whom Personal Data relates.
   • “EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR“); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively the “UK GDPR“); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Data Protection Act (“Swiss DPA“), and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) (iii) or (iv); in each case as maybe amended or superseded from time to time;
   • “Personal Data” means (i) information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household; and (ii) any information defined as “personal data”, “personal information,” or other similar defined terms under applicable Data Protection Laws.
   • “Personal Data Breach” means the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed by CyberLab or any Sub-processor.
   • “Process” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction, and “processed,” or “processing” will be construed accordingly.
   • “Processor” means any person or entity which Processes Customer Personal Data, including as applicable any “service provider” or “contractor” as those terms are defined by applicable Data Protection Laws.
   • “Regulator” means any independent public authority, government agency, and any similar regulatory authority responsible for the enforcement of Data Protection Laws.
   • “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for Personal Data by the Federal Data Protection and Information Commission or Federal Council (as applicable).
   • “Sub-processor” means any Processor (including any third party and any CyberLab Affiliate) appointed by or on behalf of CyberLab who may Process Customer Personal Data.
2. Processing details.

The details of the Processing of Customer Personal Data by CyberLab are as follows.

• Subject matter. The subject matter of the data processing under this DPA is the Customer Personal Data.
• Nature and purpose of the Processing. Customer authorises Cyber Lab to Process Customer Personal Data (including collection, organisation, structuring, storage, hosting, adaptation, anonymising, and alteration and/or use of such data), solely for the purpose of providing the Services as described in the Agreement.
• As between Customer and CyberLab, the duration of the processing is the term of the Agreement plus any period after the termination or expiry of the Agreement during which CyberLab will process Customer Personal Data in accordance with the Agreement.
• Categories of Data Subjects. The categories of Data Subjects to which Customer Personal Data relate may include: (a) Customer’s employees, consultants, agents and third parties authorized to use the Service as “Users”; and (b) and any other data subjects whose personal data is submitted to CyberLab by Customer or is discovered or collected from the dark web as part of the Service.
• Types of Personal Data. The types of Customer Personal Data uploaded to the Service or provided to CyberLab are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:
  • Identification and contact data (name, address, title, contact details);
  • Online or device identifiers (IP address, cookie identifiers, or device fingerprints)
  • Employment details (employer, job title, geographic location, area of responsibility);
  • Payment details (card details, billing address); and
  • Personal data discovered or collected from the dark web (card data, address data, passwords, usernames to other sites)

3. Processing of Personal Data.
   • The parties acknowledge that, with regard to the Processing of Customer Personal Data, CyberLab is the processor and Customer is the controller.
   • Each party shall comply with its obligations under Data Protection Law(s) in respect of any Customer Personal Data it Processes under or in connection with the Service or this DPA. Without prejudice to the foregoing, Customer is responsible for determining whether the Service is appropriate for the storage and processing of Customer Personal Data under Data Protection Laws Law(s) and for the accuracy, quality and legality of the Customer Personal Data and the means by which it acquired Customer Personal Data. Customer further agrees that it has provided notice and obtained all consents, permissions and rights necessary for CyberLab and its Sub-processors to lawfully process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA).
   • CyberLab will:
     • only process personal data in accordance with this DPA and Customer’s documented instructions and will not process Customer Personal Data for its own purposes, except as set out in this DPA or where required by Applicable Law;
     • not share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Customer Personal Data to another person or entity for:
       • monetary or other valuable consideration; or
       • cross-context behavioural advertising for the benefit of a business in which no money is exchanged;
     • not combine Customer Personal Data with Personal Data CyberLab receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform a business purpose as defined in regulations adopted pursuant to Cal. Civ. Code 1798.185(10(a);
     • inform Customer immediately if (in its opinion) any instructions infringe Data Protection Laws;
     • ensure that anyone authorised to process Customer Personal Data is committed to confidentiality obligations;
     • without undue delay, provide Customer with reasonable assistance with:
       • data protection impact assessments,
       • responses to Data Subjects’ requests to exercise their rights under Data Protection Laws, and
       • engagement with supervisory authorities;
     • if requested, provide Customer with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA;
     • allow for audits at Customer’s reasonable request and expense (on no less than 30 days’ written notice), provided that audits are limited to once a year and during business hours except in the event of a security incident; and
     • after termination of this DPA, delete or return Customer Personal Data upon Customer’s written request unless retention is required to meet legal or regulatory obligations (but only to the extent and for such period as required by such legal or regulatory requirement).

4. Security. CyberLab will implement and maintain appropriate technical and organizational safeguards to protect Customer Personal Data that are no less rigorous than accepted industry standards for information security and will ensure that all such safeguards comply with applicable Data Protection Laws. In assessing the appropriate level of security, CyberLab will take into account the risks that are presented by Processing, in particular from accidental, unauthorized, or unlawful destruction, loss, alteration, damage, disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise Processed.
5. Personal Data Breach. In the event of a Personal Data Breach impacting Customer Personal Data, CyberLab will:
   • notify Customer without undue delay and as soon as practicable under the circumstances;
   • provide Customer with sufficient details of the Personal Data Breach to allow Customer to meet any obligations under Data Protection Laws to report or inform Data Subjects or relevant Regulators of the Personal Data Breach; and
   • cooperate, and require any Sub-processor to cooperate, with Customer in the investigation, mitigation, and remediation of any such Personal Data Breach.
6. Sub-processors.
   • Use of sub-processors. Customer hereby generally authorises CyberLab’s use of sub-processors provided that CyberLab follows the following criteria to select and appoint a sub-processor which is as follows: (a) CyberLab will conduct reasonable due diligence on the data privacy and security measures of proposed Sub-Processors before providing them with access to Personal Data; (b) CyberLab will carry out data protection impact assessments ahead of appointing a sub-processor where any processing of Personal Data by a sub-processor is likely to result in a high risk to the rights and freedoms of Data Subjects; (c) as required under Data Protection Laws, CyberLab will ensure that it puts in place a contract with any appointed sub-processor which imposes on the sub-processor, in substance, the same data protection obligations as imposed on CyberLab in this DPA; and (d) CyberLab shall keep its relationships with sub-processors under review and take any further steps as may be required under Data Protection Law or in relation to any changes to Customer’s or CyberLab’s Personal Data Processing activities. CyberLab shall remain fully responsible to the Customer for the performance of the sub-processor’s obligations.

• Changes to criteria. CyberLab shall inform Customer if CyberLab wishes to make any changes to its criteria for choosing a sub-processor, and Customer may reasonably object at any time to such changes or find out more information about CyberLab’s use of sub-processors by contacting their CyberLab representative.
• CyberLab will take any reasonable objection that it receives from Customer in relation to CyberLab’s criteria to appoint sub-processors, seriously, and will work with Customer where necessary to address Customer’s concerns. If a solution cannot be found to Customer’s concern, which shall be considered a material breach of the Agreement by CyberLab, Customer may choose to terminate the Agreement on written notice to CyberLab.

7. Data Transfers.
   • Country of processing. Customer Personal Data that CyberLab processes under the Agreement may be processed in any country in which CyberLab and its Sub-processors maintain facilities to perform the Service, as further detailed in the Sub-processor List. CyberLab shall not process or transfer Customer Personal Data (nor permit such data to be processed or transferred) processed in any country that does not have an adequacy decisions/ regulation with the EU or UK, unless it first takes such measures as are necessary to ensure the transfer is in compliance with EU/UK Data Protection Law.
   • Transfer mechanism. Where a party processes Customer Personal Data outside the UK, the EEA or an adequate country:
     • that processing party will act as the data importer,
     • the disclosing party is the data exporter, and
     • the parties will use an appropriate transfer mechanism in accordance with Data Protection Laws (“Transfer Mechanism”.

8. Additional measures. If the Transfer Mechanism is insufficient to safeguard the transfer, the data importer will promptly implement additional or replacement measures as necessary to ensure personal data is protected to the same standard as under Data Protection Laws.
9. If the data importer receives a request from a public authority to access Customer Personal Data, it will (if legally possible):
   • challenge the request and promptly notify the data exporter about receiving it; and
   • if it is necessary to disclose Customer Personal Data, only disclose the minimum amount required to the public authority and keep a record of the disclosure.
10. Termination. Upon expiration or termination of the Agreement for any reason, CyberLab’s obligations under this DPA in relation to the Processing of Personal Data will continue for as long as CyberLab has access to Customer Personal Data.
11. Changes in Data Protection Laws. If any variation is required to this DPA as a result of a change in or subsequently applicable Data Protection Law, the parties agree to discuss and negotiate in good faith any variations to this DPA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable.
12. General Terms. This DPA supersedes any prior data processing agreements, addenda or similar terms between the parties. In the event of any conflict between the Agreement and this DPA, this DPA will govern with respect to the subject matter of this DPA.