AttackIQ Flex Agreement

Customer’s use of the Flex Report will be governed by the AttackIQ Flex Agreement displayed below.

PLEASE READ THIS ATTACKIQ FLEX AGREEMENT CAREFULLY. THIS ATTACKIQ FLEX AGREEMENT IS A BINDING CONTRACT FOR THE USE OF THE ATTACKIQ FLEX REPORT.

IF YOU DO NOT AGREE TO BE BOUND BY ALL OF THE PROVISIONS OF THIS ATTACKIQ FLEX AGREEMENT THEN DO NOT ACCESS OR USE THE ATTACKIQ FLEX REPORT.

This AttackIQ Flex Agreement is entered into by AttackIQ, Inc. a Delaware corporation (“AttackIQ”) and the customer purchasing the Flex Report (“Customer”).

Section 1 Agreement.

This AttackIQ Flex Agreement made between Customer and AttackIQ governs Customer’s use of the Flex Report prepared for Customer (the “Agreement”). A list of additional definitions appears at the end of this AttackIQ Flex Agreement.

Section 2. Offering.

2.1 Offering.

Subject to the terms of the Agreement, AttackIQ will deliver a Flex Report to Customer. The goal of the Flex Report is to identify evidence of security gaps that require remediation, and ultimately, to enable Customer to demonstrate improvement in its security program over time.

2.2 Support Services.

Subject to Customer’s payment obligations under this Agreement, AttackIQ will provide technical support services by email to [email protected], for no additional charge.

2.3 Flex Report; Ownership.

During the Term, AttackIQ will provide Customer’s Users with a monthly report outlining the in-scope testing performed and the results of the completed battery of standard assessments run, as further described in the Documentation (the “Flex Report”). AttackIQ will determine the scope of the standard testing. AttackIQ will deliver the Flex Report to Customer only electronically. Customer owns all right, title and interest in the Flex Report; provided, however, that AttackIQ retains ownership of generic template text included in the Flex Report that AttackIQ makes generally available to AttackIQ customers.

2.4 Limitations.

Customer may not use the Flex Report in any manner or for any purpose other than the Purpose. The Flex Report follows a defined testing method, based on industry vulnerability standards, to identify certain weaknesses, vulnerabilities and exploits, on the in-scope resources being tested. A weakness, noncompliance issue or vulnerability may not be discovered if evidence of it is not encountered by AttackIQ, or if it is a new, unknown or unlikely weakness, vulnerability or exploit.

Section 3. Data.

3.1 Customer Data Security.

AttackIQ shall maintain appropriate security for the Customer Data, consistent with the security standards AttackIQ uses to protect its Confidential Information and consistent with industry technical and organizational standards to protect against unauthorized processing and accidental loss or damage of the Customer Data.

3.2 Limited Use.

AttackIQ will use the Customer Data solely for the purpose of providing the Flex Report to Customer and will delete the Customer Data within twenty (20) days of a request to do so from Customer or, as otherwise required by law.

3.3 Personal Data.

If Customer provides Personal Data to AttackIQ under this Agreement, then AttackIQ shall comply with U.S. and European Union federal, national and state laws related to data privacy in effect during the Term of this Agreement where the Personal Data data subject resides, including to the extent applicable, the California Consumer Privacy Act of 2018, Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code (“CCPA”) and the laws of the European Union member states under the General Data Protection Regulation (“GDPR”). AttackIQ and its subprocessors are expressly prohibited from: (i) selling Personal Data for monetary or other valuable consideration; (ii) sharing, collecting, retaining, using, or disclosing Customer Personal Data for any purpose, other than the express purpose of providing the Flex Report to Customer. AttackIQ acknowledges and confirms that it does not receive any Personal Data as consideration for any services or products that it provides to Customer under this Agreement.

Section 4. Additional Proprietary Rights, License Grants.

4.1 Proprietary Rights.

The Documentation is the exclusive property of AttackIQ and constitutes valuable intellectual property and proprietary materials of AttackIQ. Subject to the limited rights expressly granted in this Agreement, AttackIQ reserves all right, title and interest in and to the Documentation and all derivative works thereof, including all Intellectual Property Rights. No rights are granted to Customer except as expressly set forth in this Agreement.

4.2 Customer Data.

As between the Parties, the Customer Data is the exclusive property of Customer and constitute valuable intellectual property and proprietary materials of Customer. Subject to the limited rights expressly granted in this Agreement, Customer reserves all right, title and interest in and to the Customer Data and Personal Data, including all Intellectual Property Rights. No rights are granted to AttackIQ except as expressly set forth in this Agreement. Subject to the terms of the Agreement, Customer hereby grants to AttackIQ a non-exclusive, royalty-free, worldwide license to use, copy, modify, perform and display the Customer Data during the Term, solely for the purpose of providing the Flex Report to Customer.

4.3 Feedback.

Customer hereby grants to AttackIQ a non-exclusive, royalty-free, irrevocable, perpetual, worldwide, license to use suggestions, comments, improvements, ideas or other feedback or materials provided by Customer (the “Feedback”) for AttackIQ’s business purposes. AttackIQ will exclusively own any improvements or modifications to AttackIQ’s proprietary intellectual property based on or derived from any Feedback including all Intellectual Property Rights in and to the improvements and modifications.

4.4 Trademarks.

AttackIQ owns all right, title and interest in and to the AttackIQ Marks and any goodwill arising out of the use of the AttackIQ Marks will remain with and belong to AttackIQ. Customer may not copy, imitate or use the AttackIQ Marks without the prior written consent of AttackIQ. Customer shall not remove or destroy any proprietary, trademark or copyright markings or notices placed upon or contained within the Flex Report. Customer will not in any way dispute, challenge or contend the validity of the AttackIQ Marks or any trademark, service mark or copyright registration owned by AttackIQ.

4.5 Compiled Data.

AttackIQ may compile statistical information concerning the existence of generic security vulnerabilities and other security risks obtained as a result of preparing the Flex Report that are not specific to Customer or its clients (“Compiled Data”) and may use the Complied Data to analyze security threat trends and patterns. For clarify, the Compiled Data shall not include any Customer Confidential Information, any references to Customer or its clients or any other information that would identify Customer or its clients.

Section 5. Payments.

5.1 Credit Account.

Customer must purchase sufficient credits, in advance, in order to receive each Flex Report.  Customer’s current credit balance is displayed in Customer’s Flex portal credit account (the “Credit Account”).  Credits displayed in the Credit Account are non-refundable and expire on the first anniversary of the date of purchase of the credits.

5.2 Amount; Payment.

In exchange for the right to obtain the Flex Report, Customer agrees to pay the amounts specified for the type of report selected by Customer, by deducting the appropriate amount from Customer’s Credit Account (the “Fee”). The Fee does not include taxes and Customer shall be responsible for all such taxes, levies or duties associated with this Agreement, other than taxes based on AttackIQ’s net income. Customer’s payment of the Fee is not contingent on the delivery of future functionality.

Section 6. Term and Termination.

6.1 Term.

This Agreement commences on the date Customer places credits in its Credit Account and continues until Customer’s Credit Account balance is zero, unless  terminated earlier pursuant to this Section 6  (the “Term”).

6.2 Termination for Material Breach.

If either Party materially breaches any term of this Agreement and fails to cure such breach within thirty (30) days after written notice by the non-breaching Party (fifteen (15) days in the case of non-payment), then the non-breaching Party may terminate this Agreement immediately upon notice.

6.3 Effect of Termination.

a) In General. In the event of any termination or expiration of this Agreement: (i) all of Customer’s rights under this Agreement will immediately terminate and (ii)  AttackIQ will immediately cease preparing the Flex Report.

b) Deletion of Customer Data. If Customer requests deletion of its Customer Data in writing, then AttackIQ will permanently and irrevocably delete the Customer Data stored by AttackIQ within ten (10) days of receipt of the request. In addition, in the event of any termination or expiration of this Agreement AttackIQ will delete the Customer Data stored by AttackIQ without undue delay.

c) Survival. Provisions of this Agreement that by their nature are intended to survive, will continue to apply in accordance with their terms including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, limitations of liability and the miscellaneous provisions of the Section entitled Miscellaneous.

Section 7. Confidential Information.

7.1 Confidentiality Generally.

If the Parties have entered into a Non-Disclosure Agreement (“NDA”), this Agreement incorporates the NDA. If the Parties have not signed an NDA, then the Recipient will protect Confidential Information of the Discloser against any unauthorized use or disclosure to the same extent that the Recipient protects its own Confidential Information of a similar nature against unauthorized use or disclosure, but in no event will use less than a reasonable standard of care to protect such Confidential Information; provided that the Confidential Information of the Discloser is conspicuously marked or otherwise identified as confidential or proprietary upon receipt by the Recipient or the Recipient otherwise knows or has reason to know that the same is Confidential Information of the Discloser. All Customer Data and Personal Data is the Confidential Information of Customer. The Recipient will use any Confidential Information of the Discloser solely for the purposes for which it is provided by the Discloser.

7.2 Exceptions.

This Section 7 will not be interpreted or construed to prohibit: (a) any use or disclosure which is necessary or appropriate in connection with the Recipient’s performance of its obligations or exercise of its rights under this Agreement; (b) any use or disclosure required by applicable law (for example, pursuant to applicable securities laws or legal process), provided that the Recipient uses reasonable efforts to give the Discloser reasonable advance notice thereof (to afford the Discloser an opportunity to intervene and seek an order or other appropriate relief for the protection of its Confidential Information from any unauthorized use or disclosure); or (c) any use or disclosure made with the written consent of the Discloser.

Section 8. Limited Warranties and Remedies.

8.1 Mutual Warranties.

Each Party hereby represents and warrants to the other Party that (a) the individual executing this Agreement on behalf of such Party is duly authorized to execute this Agreement on its behalf, and (b) this Agreement is a valid and binding obligation of such Party and enforceable against such Party in accordance with its terms.

8.2 Disclaimers.

AttackIQ does not provide any warranties regarding the FLEX Report. EXCEPT AS EXPRESSLY PROVIDED IN THIS SECTION 8, ATTACKIQ MAKES NO WARRANTY OR GUARANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, AND SPECIFICALLY DISCLAIMS ALL OTHER WARRANTIES, WHETHER IMPLIED OR STATUTORY, INCLUDING ANY IMPLIED WARRANTY OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. CUSTOMER ACKNOWLEDGES THAT THE DISCLAIMERS IN THIS SECTION 8 ARE A MATERIAL PART OF THIS AGREEMENT, AND ATTACKIQ WOULD NOT HAVE ENTERED INTO THIS AGREEMENT BUT FOR SUCH DISCLAIMERS.

Section 9. Indemnification.

9.1 IP Indemnification

a) Subject to Subsection 9.2 (Process), AttackIQ will, at its expense, either defend Customer from or settle any claim, suit or proceeding (“Claim”) brought by a third party against Customer alleging that Customer’s use of the portions of the Flex Report provided by AttackIQ in accordance with this Agreement infringes or misappropriates such third party’s copyright, trademark or trade secret intellectual property rights.

b) AttackIQ will indemnify Customer from and pay: (i) all damages, costs and attorneys’ fees finally awarded against Customer in a Claim under Subsection 9.1(a); (ii) all out-of-pocket costs (including reasonable attorneys’ fees) reasonably incurred by Customer in connection with the defense of a Claim under Subsection 9.1(a) (other than attorneys’ fees and costs incurred without AttackIQ’s consent after AttackIQ has accepted defense of the Claim); and (iii) all amounts that AttackIQ agrees to pay to any third party to settle a Claim under Subsection 9.1(a). Further, should the Flex Report become, or in AttackIQ’s opinion is likely to become, the subject of a claim of infringement or misappropriation AttackIQ may, at its option and expense: (x) obtain the right for Customer to continue to use the Flex Report, (y) modify the Flex Report so as to make it non-infringing and substantially comparable or (z) terminate this Agreement by providing notice to Customer and provide Customer with a refund of any pre-paid Fees for the infringing portion of the Flex Report.

c) AttackIQ’s indemnity obligation will not apply to the extent any infringement or misappropriation arises as a result of: (i) Customer Data included in the Flex Report, (ii) use of the Flex Report in violation of the Agreement, (iii) modification of the Flex Report by any party other than AttackIQ, or (iv) Client’s use of a superceded version of a Flex Report, if the infringement could have been avoided by using the latest version of the Flex Report.

9.2 Process.

Customer will promptly notify AttackIQ of any claim subject to this Section 9, but Customer’s failure to promptly notify AttackIQ will only affect AttackIQ’s obligations under this Section 9 to the extent that such failure prejudices AttackIQ’s ability to defend the Claim. AttackIQ may: (a) use counsel of its own choosing to defend against any Claim; and (b) settle the Claim as AttackIQ deems appropriate (except that AttackIQ may not settle any Claim unless the settlement unconditionally releases Customer of all liability related to the Claim). Customer shall provide AttackIQ, at AttackIQ’s expense, with all assistance, information and authority reasonably required for the defense and settlement of the Claim.

Section 10. Limitations of Liability.

10.1 By Type.

EXCEPT FOR EITHER PARTY’S BREACH OF SECTION 7 (CONFIDENTIAL INFORMATION) OR ATTACKIQ’S OBLIGATIONS UNDER SECTION 9 (INDEMNIFICATION), IN NO EVENT WILL A PARTY HAVE ANY LIABILITY TO THE OTHER PARTY or any third party FOR ANY consequential, INDIRECT, SPECIAL, INCIDENTAL, REMOTE, SPECULATIVE, COVER, PUNITIVE or exemplary DAMAGES, (including loss of use, data, business or profits) regardless of the theory of liability or whether the liable Party HAS BEEN ADVISED OF THE POSSIBILITY OF THESE TYPES OF DAMAGES.

10.2 By Amount Generally.

EXCEPT FOR EITHER PARTY’S BREACH OF SECTION 7 (CONFIDENTIAL INFORMATION) IN NO EVENT will either Party be liable for aggregate damages in excess of the GREATER OF (A) $50,000 AND (B) THE fees PAID OR PAYABLE BY CUSTOMER TO ATTACKIQ UNDER THIS AGREEMENT, regardless of the theory of liability or whether the liable Party HAS BEEN ADVISED OF THE POSSIBILITY OF such DAMAGES.

10.3 Exclusions.

No limitation of liability in this Agreement, whether through the exclusion of certain types of damages, a cap on the amount of damages, or other limitation, applies to either Party’s liability for violation of the other party’s intellectual property rights, gross negligence, intentional misconduct, death or personal injury.

10.4 Allocation of Risk.

The Parties agree that the limitations specified in this Section 10 will survive and apply even if any limited remedy specified in this Agreement is found to have failed of its essential purpose. Each Party acknowledges that the foregoing limitations are an essential element of this Agreement and a reasonable allocation of risk between the Parties and that in the absence of such limitations the pricing and other terms set forth in this Agreement would be substantially different.

Section 11. Disputes.

11.1 Informal Dispute Resolution.

If a dispute arises between the Parties, then the Parties will use reasonable efforts to resolve the dispute through negotiation. If such negotiations result in an agreement in principle to settle the dispute, the Parties shall cause a written settlement agreement to be prepared, signed and dated, whereupon the dispute shall be deemed settled, and not subject to further dispute resolution.

11.2 Unresolved Disputes; Waiver of Jury Trial.

Upon the Parties’ mutual written agreement, any dispute under this Agreement may be submitted for resolution to mediation to occur at a mutually agreed upon location. The Parties reserve all rights to adjudicate any dispute not submitted to mediation hereunder, in any court of competent jurisdiction located in in Santa Clara County, State of California, USA; provided, however, that each Party hereby waives the right to a trial by jury in any such action.

11.3 Exception for Injunctive Relief.

The Parties acknowledge that any breach of the confidentiality provisions or the unauthorized use of a Party’s intellectual property may result in serious and irreparable injury to the aggrieved Party for which damages may not adequately compensate the aggrieved Party. The Parties agree, therefore, that, in addition to the dispute resolution process described above and any other remedy that the aggrieved Party may have, it shall be entitled to seek equitable injunctive relief without being required to post a bond or other surety or to prove either actual damages or that damages would be an inadequate remedy.

Section 12. Miscellaneous.

12.1 Logo Use.

AttackIQ may use Customer’s name and logo in listings of AttackIQ’s customers on the website located at www.AttackIQ.com and in other public statements or disclosures for the purposes of marketing the AttackIQ Solution. Customer may request that AttackIQ cease or modify any use of Customer’s name or logo that is misleading or tends to dilute Customer’s brand.

12.2 Force Majeure.

AttackIQ shall not be responsible for any failure to perform under this Agreement which is due to causes beyond its control including, without limitation, problems with the Internet or Customer’s hardware or software, third-party interference, network failure, wars, civil disturbance, court order, legislative or regulatory action, catastrophic weather conditions, pandemic, power or utility failure, or acts of God.

12.3 Independent Contractors.

Each Party is an independent contractor and not a partner or agent of the other. This Agreement will not be interpreted or construed as creating or evidencing any partnership or agency between the Parties or as imposing any partnership or agency obligations or liability upon either Party. Further, neither Party is authorized to, and will not, enter into or incur any agreement, contract, commitment, obligation or liability in the name of or otherwise on behalf of the other Party.

12.4 No Third-Party Beneficiaries.

This Agreement does not create any third-party beneficiary rights in any individual or entity that is not a Party to this Agreement.

12.5 Assignment.

Except as set forth in this Subsection, neither Party shall assign, delegate, or otherwise transfer this Agreement or any of its rights or obligations to a third party without the other Party’s prior written consent. Either Party may assign, without such consent but upon written notice, its rights and obligations under this Agreement to: (i) its corporate affiliate; or (ii) any entity that acquires all or substantially all of its capital stock or its assets related to this Agreement, through purchase, merger, consolidation, or otherwise. Any other attempted assignment shall be void. Subject to the foregoing, this Agreement will be fully binding upon, inure to the benefit of and be enforceable by any permitted assignee.

12.6 Applicable Law.

This Agreement will be interpreted, construed and enforced in all respects in accordance with the laws of the State of California, U.S.A., as applied to agreements entered into and to be performed entirely within California between California residents, without regard to conflicts of law principles. In such case, the sole and exclusive personal jurisdiction and venue for any legal proceedings in connection with this Agreement shall be in the California State Courts located in Santa Clara County and the U.S. District Court for the Northern District of California. The Parties waive any objections related to such jurisdictions and venues. The 1980 UN Convention on Contracts for the International Sale of Goods or its successor will not apply to this Agreement.

12.7 Notice.

Ordinary day-to-day operational communications may be conducted by email or telephone communications. Any other notices required by this Agreement will be in writing and given by personal delivery, by pre-paid first-class mail or by overnight courier to the address listed in this Agreement or provided by Customer in Customer’s account settings(or such other address as may be specified in writing in accordance with this Subsection).

12.8 Additional Definitions.

“AttackIQ Marks means any trademarks, service marks, service or trade names, logos, and other designations of AttackIQ.

“Confidential Information means any information that is proprietary or confidential to the Discloser or that the Discloser is obligated to keep confidential (e.g., pursuant to a contractual or other obligation owing to a third party). Confidential Information may be of a technical, business or other nature (including, but not limited to, information which relates to the Discloser’s technology, software documentation, research, development, products, services, pricing of products and services, customers, employees, contractors, marketing plans, finances, contracts, legal affairs, or business affairs). However, Confidential Information does not include any information that: (a) was known to the Recipient prior to receiving the same from the Discloser in connection with this Agreement; (b) is independently developed by the Recipient; (c) is acquired by the Recipient from another source without restriction as to use or disclosure; or (d) is or becomes part of the public domain through no fault or action of the Recipient. All Customer Data and Personal Data is the Confidential Information of Customer.

“Customer Data” means: (a) data, including Personal Data, Customer provides to AttackIQ under this Agreement and (b) the contents of the Flex Report that are specific to Customer, including information regarding Customer’s network security vulnerabilities and security threats.

“Discloser means a Party that discloses any of its Confidential Information to the other Party.

“Intellectual Property Rights means any patent, copyright, trademark, service mark, trade name, trade secret, know-how, moral right or other intellectual property right under the laws of any jurisdiction, whether registered, unregistered, statutory, common law or otherwise (including any rights to sue, recover damages or obtain relief for any past infringement, and any rights under any application, assignment, license, legal opinion or search).

“Party means AttackIQ or Customer.

“Personal Data” means any information provided by Customer to AttackIQ used to identify a specific natural person, either alone or when combined with other information that is linkable by AttackIQ to a specific natural person. Personal Data also includes other information provided by Customer to AttackIQ about a specific natural person where the data protection laws in effect in the region where such person resides define this information as Personal Data.

“Purpose” means the limited purpose of evaluating and validating the effectiveness of Customer’s own computer network security infrastructure in connection with Customer’s ordinary, internal business operations.

“Recipient means a Party that receives any Confidential Information of the other Party.

“User” means Customer’s current employees, independent contractors, agents and consultants who are authorized or permitted by Customer to access the Flex Report on behalf of Customer.

12.9 Entire Agreement.

This Agreement, including any attachments and exhibits constitutes the complete and exclusive statement of all mutual understandings between the Parties with respect to the subject matter hereof, superseding all prior or contemporaneous proposals, communications and understandings, oral or written. No modification, amendment, or waiver of any provision of this Agreement will be effective unless it exists in writing and is signed by the Party against whom the modification, amendment, or waiver is to be asserted. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of this Agreement will remain in effect.