***IMPORTANT READ CAREFULLY***

MASTER SOFTWARE AND SERVICES AGREEMENT

Updated May 9, 2022

THIS MASTER SOFTWARE AND SERVICES AGREEMENT (THIS “AGREEMENT”) GOVERNS THE LICENSE AND/OR ACCESS OF COFENSE SOFTWARE, SUBSCRIPTIONS AND SERVICES PROVIDED BY COFENSE INC., AND/OR ITS AFFILIATES (“COFENSE”) UNLESS YOU (OR THE BUSINESS, GOVERNMENT OR ENTITY YOU REPRESENT) HAVE EXECUTED A SEPARATE WRITTEN AGREEMENT WITH COFENSE GOVERNING SUCH SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES.

PLEASE READ THIS AGREEMENT CAREFULLY. CLICKING ON THE “YES” OR “I ACCEPT” BUTTON (OR OTHER BUTTON OR MECHANISM DESIGNED TO ACKNOWLEDGE AGREEMENT TO THE TERMS OF THIS AGREEMENT), DOWNLOADING, INSTALLING, ACCESSING OR USING COFENSE SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES CONSTITUTES ACCEPTANCE OF THIS AGREEMENT. WITHOUT LIMITING THE FOREGOING, YOU ACKNOWLEDGE THAT YOUR SUBMISSION OF AN ORDER FOR THE SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES CONSTITUTES AN ACCEPTANCE OF THIS AGREEMENT AND THAT ALL FUTURE ORDERS FOR THE SAME SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES FOLLOWING YOUR ACCEPTANCE OF THIS AGREEMENT WILL BE GOVERNED BY THE TERMS OF THIS AGREEMENT.

IF YOU AGREE TO THIS AGREEMENT ON BEHALF OF A BUSINESS, GOVERNMENT, OR OTHER ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE THE POWER AND AUTHORITY TO BIND SUCH BUSINESS, GOVERNMENT, OR OTHER ENTITY TO THIS AGREEMENT, AND YOUR AGREEMENT TO THESE TERMS WILL BE TREATED AS THE AGREEMENT OF SUCH BUSINESS, GOVERNMENT, OR OTHER ENTITY. AS USED IN THIS AGREEMENT, “CUSTOMER” REFERS TO THE BUSINESS, GOVERNMENT, OR OTHER ENTITY ON WHOSE BEHALF YOU HAVE ENTERED INTO THIS AGREEMENT.

IF YOU ARE UNWILLING TO AGREE TO THIS AGREEMENT, OR YOU DO NOT HAVE THE RIGHT, POWER AND AUTHORITY TO ACT ON BEHALF OF AND BIND THE CUSTOMER, DO NOT CLICK ON THE BUTTON AND DO NOT INSTALL, DOWNLOAD, ACCESS, OR OTHERWISE USE THE SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES.

IF CUSTOMER RECEIVES THE SOFTWARE, SUBSCRIPTIONS OR SERVICES THROUGH A COFENSE AUTHORIZED RESELLER, PARTNER OR DISTRIBUTOR (COLLECTIVELY, “AUTHORIZED PARTNER”), ALL FEES AND OTHER PROCUREMENT AND DELIVERY TERMS WILL BE AGREED BETWEEN CUSTOMER AND THE AUTHORIZED PARTNER; HOWEVER, THE TERMS SET FORTH IN THIS AGREEMENT REGARDING CUSTOMER’S USE OF THE SOFTWARE, SUBSCRIPTIONS AND SERVICES REMAIN APPLICABLE. FOR CLARIFICATION, CUSTOMER’S AGREEMENT WITH THE AUTHORIZED PARTNER IS BETWEEN CUSTOMER AND THE AUTHORIZED PARTNER ONLY AND SUCH AGREEMENT IS NOT BINDING ON COFENSE. 

I.         DEFINITIONS.

Authorized Users” means Customer authorized employees, agents or independent contractors with an assigned unique email address, who may (i) access the applicable Subscription or Software; and/or (ii) receive or send email messages with respect to the applicable Subscription or Software.

Confidential Information” means any non-public, confidential, or proprietary information of a disclosing Party (“Discloser”) that should reasonably be understood by the receiving Party (“Recipient”) to be confidential because of (i) legends or other markings; (ii) the circumstances of disclosure; or (iii) the nature of the information, which may be disclosed either directly or indirectly, in writing, visual, orally or by inspection of tangible objects (including without limitation documents, prototypes, samples, products, software, product specifications and white papers) or other means. Confidential Information includes but is not limited to technology and technical information, promotional and marketing activities, inventions, finances and financial plans, customers, business and product plans, know-how, source code, data, algorithms, methods and processes, trade secrets, designs, techniques, analyses, models, strategies and objectives, and any third-party information that Discloser is otherwise obligated to keep confidential.

Customer Marks” means Customer’s name and logo, the names of any of Customer’s websites, other names of Customer’s business, enterprises or properties, product marks, trademarks and any other registered intellectual property of Customer.

Customer Data” means the information submitted or provided by Customer and its Authorized Users for use with the Software and Services.

Documentation” means the applicable Software and Subscription user manuals provided by Cofense to its customers (which may be in electronic format), as amended from time to time by Cofense.

Intellectual Property Rights” means copyrights (including, without limitation, the exclusive right to use, reproduce, modify, distribute, publicly display and publicly perform the copyrighted work), trademark rights (including, without limitation, trade names, trademarks, service marks, and trade dress), patent rights (including, without limitation, the exclusive right to make, use and sell), trade secrets, moral rights, right of publicity, authors’ rights, contract and licensing rights, goodwill and all other intellectual property rights as may exist now and/or hereafter come into existence and all renewals and extensions thereof, regardless of whether such rights arise under the law of the United States or any other state, country or jurisdiction.

Order” means (i) a quotation issued to Customer by Cofense that is signed by both Parties or (ii) a written purchase order or similar ordering document, signed or submitted by Customer and accepted by Cofense, under which Customer agrees to purchase Software and/or Services. It is agreed that all Orders for the Software and Services hereunder will incorporate the terms of this Agreement, whether expressly referenced or not, and will only be accepted subject to the terms of this Agreement. The terms and conditions of this Agreement will govern all Orders, and any additional or different terms in an Order are deemed void and of no effect unless such additional or different terms are agreed upon by the Parties in writing. For clarity, acceptance by Cofense of a Customer’s purchase order or similar ordering document will not be deemed an acceptance of any conflicting or additional terms and conditions.

Cofense IP” means all Cofense proprietary materials, including without limitation, the Software, Subscriptions, Cofense’s Confidential Information, threat intelligence and threat indicators, intelligence alerts and reports, and/or investigation tools, Aggregate Data, Documentation, Cofense Rules, proprietary processes and methods, and any Cofense templates and/or forms.

Software” means the licensed software (object code and source code) described in the applicable exhibit for such Software attached to this Agreement.

Software Support Services” means the applicable support services provided with the Software, as described in the Software Support Services Exhibit attached to this Agreement.

Professional Services” means professional consulting services or managed services rendered or performed by Cofense, as described under an applicable Statement of Work or schedule for such Professional Services attached to this Agreement.

Service(s)” means the Subscription Services, Professional Services and Software Support Services.

Statement of Work” or “SOW” means a written statement of work or addendum, mutually agreed-upon and signed by the Parties, describing Professional Services and incorporating this Agreement.

Subscription Services” or “Subscription” means the subscription service provided by Cofense, as described in the applicable exhibit for such Subscription attached to this Agreement.

II.         PROVISION OF SOFTWARE AND SERVICES; CUSTOMER RESPONSIBILITIES.

A.    Orders and SOWs. Cofense will provide the Software and Services set forth in Orders or Statements of Work, as applicable, pursuant and subject to this Agreement. Terms and licenses specific to each Software and Service are set forth in the applicable exhibit for such Software and Service attached hereto  (Exhibit A – Cofense Professional Services; Exhibit B – Cofense PhishMe Subscription and Acceptable Use Policy Addendum; Exhibit C – Cofense Intelligence Subscription; Exhibit D – Cofense LMS Subscription; Exhibit E – Cofense Reporter for Mobile (Hosting); Exhibit F – Cofense Reporter; Exhibit G – Cofense Validator; Exhibit H – Cofense Vision Software; Exhibit I – Cofense Triage Software;Exhibit J – Software Support Services; Exhibit K – Cofense Protect; Exhibit L – U.S. Federal Government Customers).

B.    Evaluations. If Cofense provides any Software or Subscriptions, along with any other related materials and documentation for Customer’s evaluation purposes (collectively, “Evaluation Products”), then Cofense grants Customer a limited, nontransferable, non-assignable, non-sublicensable right to use the Evaluation Product listed in the applicable activation email sent by Cofense to Customer, subject to the terms of this Agreement and any other limitations expressly set forth in the activation email. In addition, if Cofense grants Customer a license to evaluate Cofense PhishMeTM pursuant to this Agreement, such license (along with Customer’s rights and obligations herein) will apply to any evaluation of Cofense IntelligenceTM and Cofense LMSTM made in conjunction with such evaluation of Cofense PhishMe. Customer may use the Evaluation Product for its own internal evaluation purposes from the date in which Customer first installs, downloads or accesses the Evaluation Product, until the expiration date set forth in the activation email or, if no expiration date is set forth in the activation email, for a period of up to thirty (30) days from the date of installation, download or access of the Evaluation Product (the “Evaluation Period”). Cofense may, at its sole discretion, provide reasonable maintenance and support for the Evaluation Products during the Evaluation Period. Evaluation Products are provided to Customer “AS-IS”, and to the extent permitted by applicable law, Cofense disclaims all indemnities and warranties relating to the evaluation of the Evaluation Product, express or implied, including but not limited to any warranties against infringement of third party rights, merchantability, and fitness for a particular purpose. Customer acknowledges that the Evaluation Product is Cofense’s Intellectual Property. At the end of the Evaluation Period, all evaluation licenses granted herein will automatically terminate and Customer will delete or return Evaluation Products in Customer’s possession, and provide written certification of such destruction or return in writing to Cofense. If applicable, Customer understands that Cofense may disable access to the Evaluation Products automatically at the end of the Evaluation Period, without notice to Customer. This Section will take precedence over any contradictory language in this Agreement as it relates to an Evaluation Product.

C.    Customer Responsibilities. Customer (i) is responsible for the use of the Software and Services by Customer and its Authorized Users in compliance with this Agreement, including any applicable exhibits, addenda, Documentation and applicable laws and government regulations; (ii) is responsible for the accuracy, quality and legality of Customer Data, including the lawful use and transmission of Customer Data provided by Customer and its Authorized Users in connection with the Software and Services; (iii) will obtain all rights, permissions or consents from Authorized Users and other Customer personnel that are necessary to grant the rights and licenses in this Agreement; and (iv) will use commercially reasonable efforts to prevent unauthorized access to or use of Cofense IP, Software and Subscriptions, and will notify Cofense promptly of such unauthorized use. 

III.         TERM AND TERMINATION.

A.    Term.

1.     Software License and Support. Each Software will be licensed for the period of time stated on the applicable Order or, if no period of time for the Software License is specified in the Order, for a period of one (1) year from the date the Software was delivered to Customer (“Initial Software License Term”). Unless otherwise stated on the Order, the Software License will automatically renew after its Initial Software License Term for additional periods of one (1) year each (each, a “Renewal Software License Term” and together with the Initial Software License Term, the “Software License Term”), unless either Party notifies the other of its intention not to renew the Software License at least sixty (60) days prior to the expiration of the then-current Software License Term. If Customer is licensing the Software on a term basis, Cofense will provide Software Support Services at no additional charge, for the duration of the Software License Term and such Software Support Services will be coterminous with the Software License Term. If Customer is licensing Software on a perpetual basis, Customer’s license to the Software is contingent on Customer purchasing Software Support Services for the duration of the perpetual license subject to Cofense’s End of Life Policy as set forth in the Cofense Community portal. If Cofense no longer supports such Software pursuant to its End of Life Policy, Customer may continue to use the Software without Software Support Services. Except pursuant to the foregoing sentence, if Customer ceases to purchase Software Support Services at any time during the term of the perpetual license, the perpetual license will terminate.

2.     Subscriptions. The term of each Subscription is specified in the applicable Order or, if no period of time for the applicable Subscription is specified, for a period of one (1) year from the date in which access to the Subscription was made available to Customer (“Initial Subscription Term”).  Unless otherwise stated on the Order, the Subscription will automatically renew after its Initial Subscription Term for additional periods of one (1) year each (each, a “Renewal Subscription Term” and together with the Initial Subscription Term, the “Subscription Term”), unless either Party notifies the other of its intention not to renew the Subscription at least sixty (60) days prior to the expiration of the then-current Subscription Term.

3.    Professional Services. The term of performance for Professional Services begins on the date stated in the applicable SOW or Order or, as otherwise mutually agreed in writing between the Parties, and will remain in effect for the term stated in the applicable SOW or Order. If no term for Professional Services is set forth in the applicable SOW or Order, then (i) with respect to a SOW, the Professional Services will start on the effective date of the SOW and will continue until complete, unless otherwise terminated as set forth herein, and (ii) with respect to an Order, Professional Services will start on a mutually agreed upon date, and continue until complete, unless otherwise terminated as set forth herein.

B.    Termination for Material Breach; Suspension. A Party may terminate this Agreement or one or more of the Orders and Statements of Work hereunder, if the other Party commits a material breach, and fails to remedy such breach within thirty (30) days of being notified by the non-breaching Party of such breach (“Cure Period”). Notwithstanding the foregoing, Customer acknowledges and agrees that Cofense may, in its sole and absolute discretion, immediately terminate this Agreement, or affected SOW or Order, or suspend Customer’s access to any Services in connection with any actual, alleged or suspected: (i) breach of confidentiality obligations and license or use restrictions set forth in this Agreement and applicable exhibit, (ii) direct or indirect technical or security issues or problems caused by or relating to Customer, or (iii) violations of applicable law and, in Cofense’s determination, such violation cannot be adequately cured within the Cure Period. If Cofense terminates this Agreement or any Order or Statement of Work due to Customer’s material breach, Cofense will not refund any amounts to Customer. If Customer terminates a Software license or Service for Cofense’s material breach, Customer will receive a refund for the remainder of the then-current term for such Software or Service; provided that Customer will not be entitled to any refund if Customer is also in breach of the Agreement at the time of such termination. If Customer terminates a Software License or Services other than for Cofense’s material breach, Customer will not receive a refund or credit of any Fees already paid or due to Cofense and, if applicable, all outstanding Software License and Services Fees under an applicable SOW or Order will accelerate and become immediately due and payable.

C.    Effect of Termination. Upon termination of an applicable SOW or Order for any reason, all access rights and licenses granted herein with respect to the affected Order or SOW will immediately terminate. Termination or expiration of any Order or SOW will not be deemed a termination or expiration of any other Orders or SOWs in effect as of the date of termination or expiration, and this Agreement will continue to govern and be effective as to those outstanding Orders and SOWs until those Orders and SOWs have expired or terminated by their own terms or as set forth herein. Within ten (10) business days of the termination of an applicable SOW or Order, each Party will return or delete all copies of the other Party’s intellectual property in its possession or control.

D.    Survival. The provisions of Section IV (Fees, Taxes and Expenses), Section V (Confidentiality and Data Privacy), Section VI (Intellectual Property), Section VII(D) (Disclaimers), Section IX (Limitation of Liability), Section XII (Miscellaneous), and all accrued payment obligations, will survive the termination of this Agreement and the termination of all Orders and SOWs.

IV.         FEES, TAXES AND EXPENSES.

A.   Customer will pay the fees for the Software and Services set forth in the applicable Order or Statement of Work (“Fees”).  All Fees are non-cancelable and non-refundable. All Fees will be fully invoiced in advance, unless otherwise agreed by the Parties in writing. Fees are exclusive of all tariffs, duties or taxes imposed or levied by any government or governmental agency, including without limitation, federal, state and local sales, use, value added or other similar taxes (collectively, “Taxes”) and Customer is responsible for paying all Taxes applicable to the Software and Services provided by Cofense to Customer. Customer will reimburse Cofense for any and all expenses incurred by Cofense so long as such expenses are directly attributable to the Software and Services provided to Customer.

B.   Customer agrees to pay, in full, any undisputed invoice submitted by Cofense within thirty (30) days of receipt of such invoice. If Customer fails to make any payment when due, then interest at a rate of one and one-half percent (1.5%) per month will accrue on such unpaid, undisputed amounts, calculated from the date the payment was originally due. If Customer disputes any invoice, it will promptly notify Cofense of the disputed amount, but in no event later than the date payment is due, with an explanation of the reasons therefore.

V.         CONFIDENTIALITY AND DATA PRIVACY.

A.   Recipient will: (i) not use any Confidential Information for any purpose except to evaluate and engage in discussions concerning a potential business relationship between the Parties and/or to fulfill its obligations under this Agreement; (ii) use at least the same degree of care as Recipient uses to protect its own confidential information from unauthorized use, access or disclosure, but in no event less than a reasonable degree of care; (iii) limit disclosure of Confidential Information to those persons within Recipient’s organization who have a need to know and who have previously agreed in writing, prior to the receipt of Confidential Information, to be bound by confidentiality obligations similar to those set forth in this Agreement; (iv) not disclose any Confidential Information to third parties without Discloser’s prior written consent; (v) not copy, reverse engineer, disassemble, create any works from, or decompile any prototypes, software or other tangible objects which embody Discloser’s Confidential Information; and (vi) comply with, and obtain all required authorizations arising from, all U.S. and other applicable export control laws or regulations. Any reproduction of Confidential Information requires Discloser’s prior written consent and will remain the property of Discloser. Any reproductions will contain any and all notices of confidentiality contained on the original Confidential Information.

B.   The foregoing confidentiality obligations will not apply to information that Recipient can demonstrate: (i) is publicly known and made generally available through no improper action or inaction of Recipient; (ii) was already in the possession of, or known by Recipient prior to the time of disclosure by Discloser through no fault or breach of this Agreement by Recipient; (iii) was rightfully obtained by, or disclosed to, Recipient from a third party without any obligation to maintain the Confidential Information as proprietary or confidential; or (iv) is independently developed by Recipient without use of or reference to Discloser’s Confidential Information. Recipient may disclose Confidential Information to the extent such disclosure is required to comply with applicable law or a valid order or requirement of a governmental or regulatory agency or court of competent jurisdiction, provided that Recipient (a) restricts such disclosure to the maximum extent legally permissible; (b) notifies Discloser as soon as practicable of any such requirement to the extent such provision of prior notice is permitted by applicable law; and (c) that subject to such disclosure, such disclosed materials will in all respects remain subject to the restrictions set forth in this Agreement.

C.   Within ten (10) business days of the termination of this Agreement or upon Discloser’s written request, Recipient will promptly, at Recipient’s election, destroy or return all of Discloser’s Confidential Information in Recipient’s possession or in the possession of any representative of Recipient; provided, however, that Recipient will not, in connection with the foregoing obligations, be required to delete Confidential Information held electronically in archive or back-up systems, and such Confidential Information will in all respects remain subject to the restrictions set forth in this Agreement. Upon Discloser’s written request, Recipient will provide a certification, signed by an officer of Recipient, as to the destruction or return of Discloser’s Confidential Information.

D.   Discloser retains all right, title and interest to its Confidential Information.  Recipient acknowledges that the disclosure of Confidential Information may cause irreparable injury to Discloser. Discloser will, therefore, be entitled to seek injunctive relief upon a disclosure or threatened disclosure of any Confidential Information, without a requirement that Discloser prove irreparable harm and without the posting of a bond. This provision will not in any way limit such other remedies as may be available to Discloser at law or in equity. ALL CONFIDENTIAL INFORMATION IS PROVIDED “AS IS.” DISCLOSER MAKES NO WARRANTIES, EXPRESS, IMPLIED OR OTHERWISE, REGARDING ITS ACCURACY, COMPLETENESS OR PERFORMANCE.

E.   If use of the Software and Subscriptions includes the processing of personal data (as described in applicable data privacy laws), when performing its obligations under this Agreement, the following will apply:

1.     Customer will ensure that: (i) Customer is entitled to transfer the relevant personal data to Cofense so that Cofense may lawfully use, process and transfer the personal data on Customer’s behalf and in accordance with this Agreement; and (ii) the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection laws.

2.     Cofense will: (i) process personal data in compliance with and subject to this Agreement and any lawful and reasonable instructions received from Customer; (ii) not use or process or permit any Cofense subcontractors to use or process, any personal data except to the extent necessary to perform its obligations under this Agreement; (iii) implement and maintain adequate and reasonable technical and organizational safeguards designed to protect against the unauthorized or accidental access, loss, alteration, disclosure or destruction of personal data in Cofense’s possession or control; (iv) ensure that it has appropriate procedures in place designed to comply with applicable data protection laws and will take all reasonable steps to ensure that persons employed by it, and other persons engaged at its place of work, are aware of and comply with applicable data privacy laws and regulations.

3.     Cofense may process or otherwise transfer personal data in or to any country outside the European Economic Area or any country not deemed adequate by the European Commission pursuant to applicable data protection laws to the extent necessary for the provision of the Software and Services. If required, Cofense will enter into the EU Standard Contractual Clauses as approved by the European Commission for ensuring an adequate level of data protection in respect of the personal data that will be processed or transferred.

4.     Cofense will not sell, process, retain, disclose, or use (i) for a commercial purpose or (ii) outside of the direct business relationship between Cofense and Customer, any Customer Data that, under the California Consumer Privacy Act (“CCPA”) constitutes “personal information” (“CA Personal Information”), except to provide the Software and Services or as permitted by CCPA. Notwithstanding anything in this Agreement, Order or Statement of Work, the Parties acknowledge and agree that Cofense’s access to CA Personal Information or any other Customer Data does not constitute part of the consideration exchanged by the Parties in respect of this Agreement.

VI.         INTELLECTUAL PROPERTY.

A.    Intellectual Property of Cofense; Restrictions. All Intellectual Property Rights in the Cofense IP belong exclusively to Cofense or its licensors.  Customer acknowledges and agrees that it will not (and will not allow any third party), in whole or in part, to directly or indirectly: (i) disassemble,  decompile, reverse compile, reverse engineer or attempt to discover any source code or underlying ideas or algorithms of any Cofense IP (except to the limited extent that applicable law prohibits reverse engineering restrictions solely for interoperability purposes), (ii) sell, resell,  distribute, sublicense or otherwise transfer, the Cofense IP, or make the functionality of the Cofense IP available to any other party through any means (unless Cofense has provided prior written consent), or (iii) reproduce, alter,  modify or create derivatives of the Cofense IP (unless as expressly permitted in this Agreement). Customer will maintain the copyright notice and any other notices that appear on Cofense IP, including any interfaces related to the Software or Subscriptions.

B.    Aggregate Data; Feedback. Notwithstanding the foregoing, Cofense owns all Intellectual Property Rights in and to Aggregate Data, and may use, reproduce, sell, publicize or otherwise exploit Aggregate Data in any way, in its sole discretion. “Aggregate Data” refers to Customer Data that is de-identified (stripped of any information used to identify Customer, including personal data). Aggregate Data will also include statistical information related to the use and performance of Software and Services, provided that such statistical information is de-identified. Customer grants to Cofense a worldwide, perpetual, irrevocable, royalty-free, fully paid-up license to use and exploit any suggestion, enhancement request, recommendation, correction or other feedback (“Feedback”) provided by Customer or its Authorized users relating to the Software and Services. Feedback will not include Confidential Information.

C.    Cofense Templates and Formats.  Customer acknowledges that for applicable Software and Services, Cofense may provide certain Cofense templates and formats to Customer, and Customer will have a non-exclusive, nontransferable, non-sublicenseable right to use, modify, display and reproduce such templates and formats for Customer’s internal use with the applicable Software or Service, subject to the restrictions set forth in this Agreement. To the extent that any such modified templates and/or formats do not embody or otherwise include Customer’s Confidential Information and Customer Marks, Cofense owns and holds all right, title and interest in and to such templates and/or formats.

D.    Intellectual Property of Customer; Restrictions. Cofense acknowledges that Customer owns all right, title, and interest in and to Customer Marks and Customer Data (excluding Aggregate Data). Customer grants to Cofense the worldwide right to use, access, host, copy, transmit and display Customer Marks and Customer Data, as reasonably necessary for Cofense to perform its obligations in accordance with this Agreement. Cofense may disclose Customer Data to its third-party contractors and service providers (including cloud service providers) to the extent necessary to provide the applicable Software and Services in accordance with this Agreement; provided that such third-party contractors and service providers are bound by confidentiality obligations similar to the provisions of this Agreement. Cofense expressly disclaims any Customer Data which Customer has generated for use with an applicable Subscription or Software, and Customer agrees to indemnify, hold harmless and, at Cofense’s option, to defend Cofense, its officers, directors, employees, contractors and agents from and against any losses, liabilities, damages, costs and expenses (including reasonable attorneys’ fees) incurred as a result of any alleged or actual violations of any third party rights arising out of the Customer Data.

E.    U.S. Government Restricted Rights. The Cofense IP, Software and Services are “commercial items”, “commercial computer software” and “commercial computer software documentation,” pursuant to DFARS Section 227.7202 and FAR Sections 12.211-12.212, as applicable.  All Cofense IP, Software, and Services are and were developed solely at private expense and the use of Cofense IP, Software and Services by the United States Government are governed solely by this Agreement and are prohibited except to the extent expressly permitted by this Agreement.

VII.         WARRANTIES AND DISCLAIMERS.

A.    Software Warranty. Cofense represents and warrants that, during the one (1) year period following delivery of the Software to Customer (“Software Warranty Period”), the Software will perform materially as described in the applicable Documentation. Customer must promptly notify Cofense of any breach of this warranty, but in any event no later than the expiration of the Software Warranty Period. The warranty set forth in this Section will not apply if the Software (i) has been modified or altered by any party other than Cofense or Cofense’s duly authorized representatives; (ii) has not been installed, operated, repaired, or maintained in accordance with instructions supplied by Cofense; or (iii) has been subjected to abnormal stress, misuse, negligence, or accident. In the event of a breach of the warranty in this Section, Cofense will at its sole option, either repair the Software or replace the Software with software of substantially similar functionality. The foregoing states Customer’s sole remedy and Cofense’s entire liability for breach of warranty in this Section.

B.    Professional Services and Software Support Services Warranty. Cofense warrants to Customer that Professional Services and Software Support Services will be performed in a professional manner in accordance with industry standards for like services.  Customer must promptly notify Cofense of any breach of this warranty, but in any event no later than thirty (30) days following the date the Professional Services or Software Support Services were performed. For any breach of Cofense’s warranty obligations set forth in this Section, Cofense will promptly correct or re-perform the applicable Professional Services or Software Support Services, at Cofense’s expense. The foregoing states Customer’s sole remedy and Cofense’s entire liability for breach of warranty in this Section.

C.    Subscription Services Warranty. Cofense warrants to Customer that during the applicable Subscription Term, the Subscription will be performed materially in accordance with the applicable Documentation, and in a professional manner with reasonable skill and care.  Customer must promptly notify Cofense of any breach of this warranty, but in any event no later than thirty (30) days following the date this warranty was allegedly breached. The warranty set forth in this Section will not apply if (i) Customer has used the Subscription contrary to Cofense’s instructions as may be set forth in the applicable exhibit or Documentation, or (ii) the Subscription has been modified or altered by any party other than Cofense or Cofense’s duly authorized representatives. For any breach of Cofense’s warranty obligations set forth in this Section, Cofense will promptly correct the non-conformity, at Cofense’s expense. The preceding sentence states Customer’s sole remedy and Cofense’s entire liability for breach of warranty in this Section.

D.    DISCLAIMERS. EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH HEREIN, ALL SOFTWARE, SUBSCRIPTIONS, AND SERVICES ARE PROVIDED ON AN “AS IS” BASIS WITHOUT ANY WARRANTY WHATSOEVER AND COFENSE EXPRESSLY DISCLAIMS, TO THE MAXIMUM EXTENT PERMISSIBLE UNDER APPLICABLE LAW, ALL WARRANTIES, EXPRESS, IMPLIED AND STATUTORY, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, NONINFRINGEMENT, OR ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE.  COFENSE ALSO MAKES NO WARRANTY REGARDING NONINTERRUPTION OF USE OR FREEDOM FROM BUGS, AND MAKES NO WARRANTY THAT SOFTWARE, SERVICES OR SUBSCRIPTIONS WILL BE ERROR-FREE. COFENSE DOES NOT GUARANTEE ANY SPECIFIC RESULTS FROM USING THE SOFTWARE, SERVICES AND SUBSCRIPTIONS.

VIII.         INDEMNIFICATION.

A.   Cofense agrees to indemnify, defend, and hold Customer, its employees and agents harmless from any and all claims and/or demands, including reasonable attorneys’ fees, arising out of or in connection with a claim that the Cofense IP, Software or Subscription, infringes a valid third party intellectual property right. If the Cofense IP, Software or Subscription, or parts thereof, become, or in Cofense’s opinion may become, the subject of an infringement claim, Cofense may, at its option: (i) modify or replace such Cofense IP, Software or Subscription with a non-infringing, functional equivalent; (ii) obtain for Customer all necessary licenses and permissions to continue using the Cofense IP, Software or Subscription; or (iii) require that Customer cease to use the Cofense IP, Software or Subscription and (a) with respect to Subscriptions and term Software Licenses, refund any pre-paid Fees for the unused remainder of the Software License Term or Subscription Term; (b) with respect to perpetual Software Licenses, refund the Fees paid for the Software License, less allowance for amortization over a three (3) year period, straight-line method and refund any pre-paid Fees for the unused remainder of the Software Support Term; and (c) with respect to Professional Services, refund any pre-paid Fees for Professional Services that have not been delivered.  This Section states Cofense’s entire liability and Customer’s exclusive remedy for claims based on infringement of any third party’s intellectual property rights.

B.   Cofense will have no indemnification obligations with respect to any action arising out of: (i) the use of any Cofense IP, Software or Subscription, or any part thereof, in combination with other software or products not authorized by Cofense; (ii) any modification of the Cofense IP, Software or Subscription not performed or expressly authorized by Cofense; (iii) Customer’s failure to substantially comply with Cofense’s reasonable written instructions which if implemented would have rendered the Cofense IP, Software or Subscription non-infringing, provided that a sufficient time period is given to Customer in order to implement such written instructions; or (iv) the use of the Cofense IP, Software or Services other than in accordance with this Agreement and applicable Documentation.

C.   Customer agrees to indemnify, defend and hold Cofense, its employees and agents harmless from any and all claims and/or demands, including reasonable attorneys’ fees, made by any third party arising out of or related to Customer’s alleged or actual use or misuse of the Cofense IP, Software and Subscriptions, including without limitation: (a) claims related to the unauthorized disclosure or exposure of personal data or other private information by Customer; (b) claims that the Customer Data infringes a third party right; (c) claims that use of a Subscription by Customer, including by Customer’s Authorized Users, harasses, defames, or defrauds a third party; or (d) claims arising from Customer’s use of the Software and Services in violation of this Agreement.

D.   Each Party which seeks indemnification (the “Indemnified Party”) will (i) notify the other Party (the “Indemnifying Party”) promptly after receiving notice of any threat or claim in writing of such actions set forth above, provided that if the Indemnified Party fails to notify the Indemnifying Party promptly of any threat or claim, the Indemnifying Party will be relieved of its obligation to indemnify the Indemnified Party to the extent the Indemnifying Party is prejudiced by the delay in notice; (ii) grant the Indemnifying Party sole control of the defense and any related settlement negotiations; provided no settlement may be agreed to without the Indemnified Party’s consent (which consent will not be unreasonably withheld); and (iii) reasonably cooperate, at the Indemnifying Party’s expense, with the Indemnifying Party in defense of such claim.

IX.         LIMITATION OF LIABILITY.

A.    Exclusion of Consequential and Related Damages. EXCEPT FOR LIABILITY ARISING UNDER A BREACH OF ANY INTELLECTUAL PROPERTY RIGHT OF A PARTY, THE INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION VIII, OR A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, IN NO EVENT WILL A PARTY BE LIABLE FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES OF ANY KIND, INCLUDING BUT NOT LIMITED TO ANY LOST PROFITS AND LOST SAVINGS, HOWEVER CAUSED, WHETHER FOR BREACH OR REPUDIATION OF CONTRACT, TORT, BREACH OF WARRANTY, NEGLIGENCE, OR OTHERWISE, WHETHER OR NOT SUCH PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES.

B.    Limitation of Monetary Damages. EXCEPT FOR LIABILITY ARISING UNDER A BREACH OF ANY INTELLECTUAL PROPERTY RIGHT OF A PARTY, PAYMENT OBLIGATIONS OF CUSTOMER, THE INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION VIII, OR A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, AND NOTWITHSTANDING ANY OTHER PROVISIONS OF THIS AGREEMENT OR ANY ORDER OR STATEMENT OF WORK, A PARTY’S TOTAL LIABILITY ARISING OUT OF THIS AGREEMENT WILL BE LIMITED TO THE TOTAL AMOUNTS RECEIVED BY COFENSE FOR THE RELEVANT SOFTWARE, SUBSCRIPTIONS OR SERVICES DURING THE SIX (6) MONTHS PRIOR TO THE FIRST EVENT GIVING RISE TO SUCH LIABILITY .

C.    Applicability. THE LIMITATIONS AND EXCLUSIONS CONTAINED HEREIN WILL APPLY ONLY TO THE MAXIMUM EXTENT PERMISSIBLE UNDER APPLICABLE LAW, AND NOTHING HEREIN PURPORTS TO LIMIT EITHER PARTY’S LIABILITY IN A MANNER THAT WOULD BE UNENFORCEABLE OR VOID AS AGAINST PUBLIC POLICY IN THE APPLICABLE JURISDICTION.

X.         AUDIT RIGHTS.

A.   Cofense agrees that Customer may conduct an audit of Cofense’s records related to Customer, at Customer’s expense, subject to the following conditions: (i) the audit will only be of Cofense records that pertain solely to this Agreement; (ii) Customer will provide no less than seventy-two (72) hours prior written notice of the date the audit is to be performed; (iii) the audit will be conducted at a location specified by Cofense during Cofense’s normal business hours and without interrupting Cofense’s business operations; and (iv) Customer may not request more than one (1) audit in any twelve (12) month period. Notwithstanding anything in the foregoing to the contrary, Customer may not audit facilities, networks, systems, devices, or storage media of Cofense or its personnel.

B.   Cofense acknowledges that Customer may be subject to examination and audit by applicable government regulatory agencies having jurisdiction over Customer (“Regulatory Agencies”).  Cofense further acknowledges that such Regulatory Agencies may require access to Cofense’s books, records, data, and evidence of procedures and policies relating to Cofense’s compliance with this Agreement. Upon request by such Regulatory Agencies, Cofense will provide the reasonable assistance of Cofense’s employees with knowledge of compliance efforts in connection with any such examination or audit.

C.   For any applicable Software License Term or Subscription Term, Customer agrees that at Cofense’s request, Customer will furnish to Cofense a certification signed by Customer’s authorized representative verifying that the Software or Subscription is being used in accordance with this Agreement.

XI.         NOTICES.

All notices in connection with this Agreement will be in writing and will be deemed effective (i) upon receipt, when delivered personally or by courier, overnight delivery service or confirmed facsimile, or (ii) five (5) business days after having been sent by registered or certified mail or the local equivalent, as evidenced by the postmark. Notices will be addressed to the applicable address as listed in the Order or as subsequently modified by written notice.

XII.         MISCELLANEOUS.

A.    Governing Law. This Agreement is governed by and construed in accordance with the laws of the State of Virginia and the United States without regard to conflicts of laws provisions thereof, and without regard to the United Nations Convention on the International Sale of Goods.  Any legal claims, proceedings or litigation arising out of or in connection with the Software and Services will be brought solely in the federal courts of the State of Virginia, and each Party hereto consents to the jurisdiction and venue of such courts in any suit, action or proceeding concerning this Agreement. Notwithstanding anything in the foregoing to the contrary: (i) if Customer is located in the United Kingdom, this Agreement is governed by and construed in accordance with the laws of England & Wales; and (ii) if Customer is located in the European Union, this Agreement is governed by and construed in accordance with the laws of the Republic of Ireland, each without regard to conflicts of laws provisions thereof, and without regard to the United Nations Convention on the International Sale of Goods. The Parties agree that the Uniform Computer Information Transactions Act or any version thereof, adopted by any state, in any form, will not apply to this Agreement.

B.    Anti-Corruption and Anti-Bribery. Each Party acknowledges that it is familiar with and understands the provisions of the U.S. Foreign Corrupt Practices Act of 1977, as amended (“the FCPA”) and the U.K. Bribery Act of 2010 (“UKBA”) and agrees not violate or knowingly let anyone violate the FCPA or UKBA. Customer agrees that no payment it makes will constitute a bribe, influence payment, kickback, rebate, or other payment that violates the FCPA, the UKBA, or any other applicable anti-corruption or anti-bribery laws.

C.    Entire Agreement; Order of Precedence. This Agreement and the applicable exhibits, Orders, SOWs or addenda constitutes the complete and entire agreement between Cofense and Customer with respect to the Software and Services.  It replaces and supersedes any prior agreements, oral or written, between Cofense and Customer concerning the subject matter hereof. Cofense hereby rejects and deems deleted any additional or different terms or conditions that Customer presents, including, but not limited to, any terms or conditions contained or referenced in any purchase order, acceptance, or acknowledgement.  No amendment to this Agreement will be effective unless it is in writing and signed by the authorized representatives of each Party. In the event of conflict between any of the terms in this Agreement and the terms set forth in an exhibit, Order, SOW or addendum, this Agreement will govern, unless otherwise expressly provided in such other exhibits, Orders, SOWs and addenda.

D.    Assignability. Any assignment of this Agreement, SOW, Order or addenda by either Party to another party, including any transfer by operation of law or otherwise, without the other Party’s prior written consent (which consent will not be unreasonably withheld) will be null and void; provided, however, that each Party may assign this Agreement, SOW, Order or addenda in whole or in part, without consent, to an affiliate or in connection with any merger, asset purchase or sale, stock purchase or sale or similar change of control transaction.  Cofense may use subcontractors in the performance of its obligations. Cofense will disclose subcontractors having access to Customer Data upon Customer’s written request.

E.    Force Majeure. With the exception of Customer’s obligation to make payments due and payable to Cofense, neither Cofense nor Customer will be considered to be in breach or default of this Agreement as a result of its delay or failure to perform its obligations herein when such delay or failure arises out of causes beyond the reasonable control of the Party whose performance has been affected.

F.    Attorneys’ Fees. In the event of a contractual dispute arising out of or relating to payment obligations of a party, the party prevailing in such dispute will be entitled to collect from the other party all costs of collection in such dispute, including reasonable attorneys’ fees.

G.    No Third-Party Beneficiaries. Nothing in this Agreement will benefit or create any right or cause of action in or on behalf of any person or entity other than Customer and Cofense.

H.   Waiver and Severability. The failure of a Party to exercise or enforce any right or provision of this Agreement will not constitute a waiver of such right or provision.  If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions of this Agreement will remain in full force and effect.

 

COFENSE PROFESSIONAL SERVICES
EXHIBIT A

In addition to the terms of the Agreement, the following terms apply to Professional Services.

  1. Each Statement of Work and Order for Professional Services will incorporate and be governed by this Agreement. Professional Services provided under an Order will be subject to the terms specific to each Professional Service in the schedules attached to this Exhibit. For clarity, Cofense will not be obligated to perform any Professional Services until Cofense has accepted an Order for the applicable Professional Services or a Statement of Work describing those Professional Services has been agreed to and signed by both Parties.
  2. When Cofense’s personnel are performing Professional Services on site at Customer’s premises, Customer will allocate appropriate working space and physical access for all Cofense personnel.
  3. Either Party may elect to submit written change requests to the other Party proposing changes to the Statement of Work. All changes to an applicable Statement of Work will be made using an amendment signed by both Parties.
  4. Grant of License. Subject to full payment of Fees by Customer for the Professional Services to which a Deliverable (as defined below) relates and in accordance with the terms of this Agreement, Cofense will (a) assign to Customer all copyrights in and to the Deliverables, with the exception of any Cofense IP included therein; and (b) grant to Customer a non-exclusive, royalty-free, worldwide license to use any Cofense IP incorporated into the Deliverable, solely as part of the Deliverable and not separate from the Deliverable, as necessary for Customer to make use of the Deliverable as set forth herein. “Deliverables” means the written reports that are created for Customer as a result of the Professional Services provided hereunder.
  5. Deliverables containing Cofense IP may not be shared with any third party other than (i) law enforcement agencies or (ii) third party consultants/subcontractors, provided that: (A) the consultant/subcontractor is under an obligation of confidentiality and non-use restrictions at least as restrictive as those set forth in this Agreement and (B) the consultant/subcontractor is receiving and using the Deliverable for the sole purposes of providing services to Customer.

 

COFENSE PHISHME
PROFESSIONAL SERVICES CONSULTING
SCHEDULE TO EXHIBIT A

 

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to Cofense PhishMe Professional Services Consulting provided under an applicable Order.

  1. Professional Services Description. Cofense will provide the following Professional Services only in connection with a current subscription for Cofense PhishMe, during the term and for the fees set forth in the applicable Order. Unless otherwise stated in the Order, the Professional Services will automatically renew after the term set forth in the Order for additional periods of one (1) year each, unless either Party notifies the other of its intention not to renew the Professional Services at least sixty (60) days prior to the expiration of the then-current term.

a.   Services Overview. Cofense will provide guidance for simulated phishing scenario campaigns (“Scenario(s)”) Customer sends through Cofense PhishMe, including recommendations, and strategy development as set forth herein.

b .  Cofense will:

i.   Assign a Cofense consultant as Customer’s point of contact for the performance of Services under this Schedule.

ii.   Conduct a kick-off call with Customer to develop an understanding of Customer’s security environment, Customer’s current security efforts, and assignment of decision making roles and required processes for Customer under this Schedule.

iii.   Conduct an additional conference call with Customer to discuss key phishing concepts, the Services program phases, key technical and education requirements, establishment of desired outcomes, and an understanding of the measures of success for Customer’s Cofense PhishMe program.

iv.   Conduct a reasonable number of test Scenarios (no more than four) to confirm Cofense PhishMe setup is complete and functioning appropriately.

v.   Provide an appropriate phishing program announcement for use by Customer to introduce Customer personnel to the Cofense PhishMe program.

vi.   Conduct quarterly Cofense PhishMe program reviews with Customer, and such other meetings as mutually agreed upon by the Parties

c.   Scheduled Meetings. The Cofense consultant assigned as Customer’s point of contact will be available for up to one (1) hour per week to meet remotely with Customer to advise Customer regarding its Cofense PhishMe program. Customer will request such meetings no less than two (2) business days in advance.

  1. Deliverables. Cofense will provide the following Deliverables.

a.   Program Plan. Cofense will provide a standard Cofense program plan including best practices and a recommended schedule of phishing Scenarios for term of the Services.

b.   Standard Quarterly Program Review Reports

c.   Semi-annual “Board of Directors” Reports. Cofense will provide a standard Board of Directors Report two (2) times during the current term

  1. Additional Terms.

a.   Customer agrees that failure to provide timely responses or input as required for performance of the Services may impact the timing of performance by Cofense.

b.  Customer and Cofense will jointly schedule any meetings, reviews, and/or coordination of resources.

c.  Customer agrees that any request to increase the frequency of Deliverables, to customize the Deliverables, or to provide reports not expressly set forth in this Schedule fall outside the scope of this Schedule and a mutually agreed upon amendment will be required.

d.  Customer understands and acknowledges that the Services require downloading and analyzing Customer data outside of the Cofense PhishMe environment (i.e. a local analysis) in order for Cofense to perform its obligations.

e.  Customer acknowledges Cofense maintains a FedRamp authorization for the Cofense PhishMe product. If Customer orders Cofense PhishMe Professional Services Consulting, Customer understands and acknowledges Cofense PhishMe Professional Services Consulting is not covered by a FedRAMP authorization and requires Cofense to download and analyze Customer Data outside of the Cofense PhishMe FedRAMP environment in order for Cofense to perform the Services.

 

 

 

COFENSE PHISHME
PROFESSIONAL SERVICES PREMIUM
SCHEDULE TO EXHIBIT A

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to Cofense PhishMe Professional Services Premium provided under an applicable Order.

  1. Professional Services Description. Cofense will provide the following Professional Services only in connection with a current subscription for Cofense PhishMe, during the term and for the fees set forth in the applicable Order. Unless otherwise stated in the Order, the Professional Services will automatically renew after the term set forth in the Order for additional periods of one (1) year each, unless either Party notifies the other of its intention not to renew the Professional Services at least sixty (60) days prior to the expiration of the then-current term.

a.   Overview. Cofense will build and execute simulated phishing scenario campaigns (“Scenario(s)”) through Cofense PhishMe. Cofense will further conduct analysis of the results of such Scenarios, facilitate Customer meetings, and provide reports to Customer as set forth herein.

b.   Initial Planning and Implementation. Cofense will:

i. Assign a Cofense consultant as Customer’s point of contact for the performance of Services under this Schedule.

ii. Conduct a kickoff call with Customer to develop an understanding of Customer’s security environment, Customer’s current security efforts, and assignment of decision making roles and required processes for Customer under this Schedule.

iii. Conduct an additional conference call with Customer to discuss key phishing concepts, the Services program phases, key technical and education requirements, establishment of desired outcomes, and an understanding of the measures of success for Customer’s Cofense PhishMe program.

iv. Conduct a reasonable number of test Scenarios (no more than four) to confirm Cofense PhishMe setup is complete and functioning appropriately.

v. Provide an appropriate phishing program announcement for use by Customer to introduce Customer personnel to the Cofense PhishMe program.

c.   Standard Program Services. Cofense consultant will perform the following:

i.   Provide support for up to twelve (12) Scenarios annually in accordance with a mutually agreed schedule between Cofense and Customer which may include recipient list upload to Cofense PhishMe, preparing phishing email templates and scheduling of Scenarios. With respect to the foregoing Scenarios, Cofense will use commercially reasonable endeavors to create, send, and report on each Scenario within seven (7) business days of Scenario completion. However, this delivery time frame may be increased depending on the complexity of the Scenario. Additional Scenarios may be purchased pursuant to an Order.

ii.   Conduct quarterly Cofense PhishMe program reviews with Customer, and such other meetings as mutually agreed upon by the Parties.

2.   Deliverables. Cofense will provide the following Deliverables:

a.  Program Plan. Cofense will provide a standard Cofense program plan including best practices and a recommended schedule of phishing Scenarios for the applicable term.

b.   Scenario Reports. Up to twelve (12) Scenario Reports subject to Section 1(c)(i).

c.   Standard Quarterly Program Review Reports.

d.   Semi-annual “Board of Directors” Reports. Cofense will provide a standard Board of Directors Report two (2) times during the current term.

3.   Professional Services Premium Multi-Entity (if applicable)

a.   If Customer has ordered Professional Services Premium Multi-Entity (Coordinated), the following will apply: Cofense will provide the services and Deliverables to Customer Affiliates which follow Customer’s overall program and scenario execution plan, and one Customer administrator would serve as the point of contact for the Cofense consultant serving as the point of contact to Customer.

b.   If Customer has ordered Professional Services Premium Multi-Entity (Independent), the following will apply: Cofense will provide the services and Deliverables to Customer’s Affiliates, however each Affiliate may determine its own Scenario content and execution plan independently from Customer. Each Affiliate would have its own, separate Cofense PhishMe account and neither Customer nor Affiliate data would be shared among Affiliates.

c.   For the purpose of this Section, an “Affiliate” of a Party will mean any entity that controls, is controlled by, or is under common control with such Party. For the purpose of the foregoing “control” will mean more than fifty percent (50%) ownership of assets or equity.

4.   Additional Terms.

a.   Customer agrees that failure to provide timely responses or input as required for performance of the Services may impact the timing of performance by Cofense.

b.   Customer and Cofense will jointly schedule any meetings, reviews, and/or coordination of resources.

c.   Customer agrees that any request to increase the frequency of Deliverables, to customize the Deliverables, or to provide reports not expressly set forth in this Schedule fall outside the scope of this Schedule and a mutually agreed upon amendment will be required.

d.   Customer understands and acknowledges that the Services require downloading and analyzing Customer data outside of the Cofense PhishMe environment (i.e. a local analysis) in order for Cofense to perform its obligations.

e.  Customer acknowledges Cofense maintains a FedRamp authorization for the Cofense PhishMe product. If Customer orders Cofense PhishMe Professional Services Premium, Customer understands and acknowledges Cofense PhishMe Professional Services Premium is not covered by a FedRAMP authorization and requires Cofense to download and analyze Customer Data outside of the Cofense PhishMe FedRAMP environment in order for Cofense to perform the Services.

 

COFENSE PHISHING DEFENSE CENTER
SCHEDULE TO EXHIBIT A

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to the Cofense Phishing Defense Center (PDC) provided under an applicable Order.

1. Term. Cofense will provide the Professional Services set forth below only in connection with a current license for Cofense Triage, and if applicable, Cofense Vision, during the term and for the fees set forth in the applicable Order. Unless otherwise stated in the Order, the Professional Services will automatically renew after the term set forth in the Order for additional periods of one (1) year each, unless either Party notifies the other of its intention not to renew the Professional Services at least sixty (60) days prior to the expiration of the then-current term.

2. Cofense PDC for Cofense Triage Professional Services and Deliverables. Cofense will provide the following Professional Services in connection with Customer’s current software license of Cofense Triage.

A. Deployment and Configuration Assistance. Cofense will:

i. schedule calls to ensure onboarding is completed in a timely manner in relation to Customer’s Cofense Triage instance.

ii. work with Customer to ensure the Cofense Triage technical requirements are in place for optimal message analysis.

iii. work with Customer to define user responses for messages submitted to Cofense Triage for analysis.

iv. work with Customer to establish escalation procedures.

The above Professional Services may take up to five (5) weeks to complete, however the completion time may vary depending on Customer’s readiness.

B. Daily Analysis, Processing, and Response .

i. Cofense will analyze messages reported by Customer using Cofense Triage.

ii. Cofense will process and notify Customer of identified threats found in the reported emails via a ticketing system. Such notifications will be classified as follows:

  • Malicious – this classification will be used when there is evidence of a threat that may be malicious in nature.
  • Non-Malicious – this classification will be used when there is no evidence of a threat that may be malicious in nature.
  • Suspicious – this classification will be used when no evidence of a threat that may be malicious in nature is found in the email, but the analyst establishes a malicious intent that may lead to future attacks
  • Spam – This classification will be used when an email is determined to be spam.
  • Phishing Simulation – This classification will be used when the email is part of a phishing training exercise.

iii. Cofense will, upon obtaining advanced notice from Customer, process internal, legitimate emails and provide automatic responses to users. Examples of such emails include planned mass mailings or internal system generated emails which users may report as phishing attempts.

iv. At Customer’s request, Cofense will establish a monthly or quarterly service review meeting, as agreed between Customer and Cofense.

C. Email Analysis and Processing Service Levels.

i. Cofense analysts will check and process Customer’s Cofense Triage inbox of reported suspicious emails at least once per hour during the Daily Services Period set forth in Section 4.

ii. Cofense analysts will conduct necessary analysis and processing of any malicious emails discovered and provide analysis details via a ticket to Customer approximately one (1) hour from discovery of a malicious email. Notwithstanding anything in the foregoing to the contrary, analysis may exceed one (1) hour depending on the complexity of threat.

iii. Cofense will escalate malicious emails to Customer promptly after establishing the presence of a threat

D. Deliverables. Cofense will provide the following Deliverables:

i. Daily escalation tickets of any identified threats.

ii. Report on monthly phishing trends of Customer reported emails.

3. Cofense PDC for Cofense Vision Professional Services. If Customer is also under a current license for Cofense Vision, subsection (A) below will be included in the Professional Services in connection with Customer’s license, and will be performed during the applicable Daily Services Periods set forth in Section 4:

A. Search and Quarantine.

i. Cofense will, using Customer’s Cofense Vision license, initiate a Vision search and quarantine actions for each Cofense-initiated escalation conducted within Cofense Triage.

ii. Cofense will perform searches and, as directed by Customer, quarantine emails reported according to the established escalation procedures.

iii. Cofense will not initiate quarantines on non-malicious emails.

iv. Cofense and Customer will mutually agree upon rules for quarantine and Cofense will initiate quarantines within these set rules.

B. Configuration Requirements.

i. Customer will be responsible for deploying, configuring, maintaining, upgrading, and troubleshooting Cofense Vision in Customer’s environment and allowing connectivity from the Cofense cloud.

ii. Customer will not be more than one (1) release behind the current production release of Cofense Vision.

4. Daily Services Periods. The “Daily Services Periods” will mean one of the following daily time periods, excluding Cofense company observed holidays:

Non-24/7 Customers.

North America Customers: Monday – Friday, 8:00 AM – 8:00 PM ET

EMEA Customers: Monday – Friday, 7:00 AM – 7:00 PM GMT

APAC Customers: Monday – Friday, 8:00 AM – 8:00 PM AET

Any Customer located outside of the regions above will be served according to one of the above options as determined by Cofense and notified to Customer prior to the start of the Professional Services.

24/7 Customers. Monday – Sunday, 12:00 AM – 11:59 PM GMT

5. Additional Terms.

A. Customer acknowledges and agrees that for Cofense to provide the Professional Services and/or Deliverables above, Cofense uses a subcontractor, Network Intelligence (I) Ptv. Ltd. located in India, and that Customer Data may be processed in India.

B. Customer acknowledges and agrees that lack of timely responses to Cofense’s requests may adversely affect the schedule of any Professional Services performed hereunder.

C. Customer will provide and maintain proper access between Cofense’s hosted Cofense Triage environment and Customer-deployed Cofense Vision.

D. Customer will be responsible for configuration and troubleshooting any integration with third party technologies.

COFENSE TRIAGE
PROFESSIONAL SERVICES CONSULTING
SCHEDULE TO EXHIBIT A

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to Cofense Triage Professional Services Consulting provided under an applicable Order.

1. Professional Services Description. Cofense will provide the Professional Services set forth below only in connection with a current license for Cofense Triage, during the term set forth in the applicable Order. Unless otherwise stated in the Order, the Professional Services will automatically renew after the term set forth in the Order for additional periods of one (1) year each , unless either Party notifies the other of its intention not to renew the Professional Services at least sixty (60) days prior to the expiration of the then-current term.

a.   Initial Planning.

i.    Cofense will conduct a call to discuss resource and information requirements required for performance of the service. Additional such calls may be conducted as needed.

ii.   Customer will complete a questionnaire provided by Cofense concerning technical requirements.

iii.   Cofense will provide an agenda for Implementation and Training described below.

b.   Implementation and Training. A Cofense consultant will perform the following, either on-site at Customer’s facilities or remotely as mutually agreed by the Parties:

i.   Conduct a kickoff meeting to discuss the implementation and training process.

ii.   Provide guidance to the customer on installation and configuration of Cofense Triage in the Customer’s environment.

iii.   Configure Customer’s existing suspicious email reporting inbox with Cofense Triage and integrate all trusted roots and establish a signed certificate.

iv.   Perform initial customized configuration of Cofense Triage for efficient analysis of reported suspicious emails.

v.   Discuss and establish Cofense Triage administration and maintenance tasks for best practices.

vi.   Provide Customer training on the following items:

1.   Administration and maintenance of Cofense Triage within the environment

2.   Analysis of reported email and clusters

3.   Notifications and process integrations

4.   Customizing responses to reported emails to Customer’s environment

5.   Guidance on success criteria and reporting

6.   Facilitate creation of use cases

7.   Cofense Rules and how Cofense Triage leverages Cofense Rules for analysis

8.   Review of threat intelligence and how it relates to new threats and associated use cases

9.   Rule creation and optimization

10.   Recipe creation and tweaking

11.   Establishing a baseline for Customer’s environment

12.   Provide guidance on day-to-day activities of Customer’s analysts

13.   Properly identify threats and to respond accordingly within the system.

vii.   Conduct a closeout meeting.

c.   Follow-up Support. After conclusion of the Implementation and Training set forth in Section 1(B), Cofense will perform the following:

i.   Provide a designated Cofense consultant which will be available for additional calls and/or email communications to answer any questions that may arise and troubleshoot any problems for the remainder of the applicable term for Professional Services.

ii.   Monthly meetings will be conducted by the designated Cofense consultant with Customer to review Customer’s program and progress.

2.   Timing of Implementation and Training. The Implementation and Training set forth in Section 1(B) will be performed over a mutually agreed three (3) day period and will not exceed twenty-four (24) hours total, including initial planning. For on-site services, Cofense Consultant typically will arrive every day by 8:00 am local time with the exception of Monday morning to allow for travel to the site, unless otherwise agreed by Customer and Cofense. The training schedule is typically planned for Tuesday through Thursday close of business. Cofense recommends Customer allocate a minimum of eight (8) hours per day for training to maximize the Cofense consultant’s time with Customer.

3.   Additional Terms.

a.   Customer agrees that failure to provide timely responses or input as required for performance of the services may impact the timing of performance by Cofense.

b.   Customer and Cofense will jointly develop a project plan as needed to facilitate scheduling of any meetings, reviews, and/or coordination of resources.

COFENSE TRIAGE
PROFESSIONAL SERVICES IMPLEMENTATION AND TRAINING
SCHEDULE TO EXHIBIT A

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to Cofense Triage Professional Services Implementation and Training provided under an applicable Order.

1.   Professional Services Description. Cofense will provide the following Professional Services in connection with Customer’s current software license to Cofense Triage, during the term set forth in the applicable Order.

a. Initial Planning.

i.   Cofense will conduct a call prior to installation of Cofense Triage to discuss resource and information requirements required for performance of the services. Additional such calls may be conducted as needed.

ii.   Customer will complete a questionnaire provided by Cofense concerning technical requirements.

iii.   Cofense will provide an agenda for the Implementation and Training described below.

b. Implementation and Training. A Cofense consultant will perform the following, either on-site at Customer’s facilities or remotely as mutually agreed by the Parties:

i.   Conduct a kickoff meeting to discuss the implementation and training process.

ii.   Install and configure Cofense Triage in the Customer’s environment.

iii.   Configure Customer’s existing suspicious email reporting inbox with Cofense Triage and integrate all trusted roots and establish a signed certificate.

iv.   Perform initial customized configuration of Cofense Triage for efficient analysis of reported suspicious emails.

v.   Discuss and establish Cofense Triage administration and maintenance tasks for best practices.

vi.   Provide Customer training on the following items:

1.   Administration and maintenance of Cofense Triage within the environment

2.   Analysis of reported email and clusters

3.   Notifications and process integrations

4.   Customizing responses to reported emails to Customer’s environment

5.   Success criteria and reporting

6.   Establishing use cases for scenarios and reported intel from outside sources

7.   Cofense Rules and how Cofense Triage leverages Cofense Rules for analysis

8.   Review of threat intelligence and how it relates to new threats and associated use cases

9.   Rule creation and optimization

10.   Recipe creation and tweaking

11.   Establishing a baseline for Customer’s environment

12.   Day-to-day activities of Customer’s analysts

13.   Properly identify threats and to respond accordingly within the system.

vii.   Assist in developing documentation for Customer’s corporate Incident Response (IR) or Security Operations plans to incorporate Cofense Triage.

viii.  Assist in developing and customizing Cofense Triage protocols, procedures and email templates.

ix.   Conduct a closeout meeting.

c. Follow-up Support. After conclusion of the Implementation and Training, Cofense will perform the following: Provide remote post-implementation support as needed for ten (10) business days. During this time, the Cofense consultant will be available for additional calls and/or email communications to answer any questions that may arise and troubleshoot any problems. After this time, all requests for assistance must be directed to [email protected]

2. Timing of Implementation and Training. The Implementation and Training will be performed over a mutually agreed three (3) day period and will not exceed twenty-four (24) hours total, including initial planning. For on-site services, Cofense Consultant typically will arrive every day by 8:00 am local time with the exception of Monday morning to allow for travel to the site, unless otherwise agreed by Customer and Cofense. The training schedule is typically planned for Monday through Thursday close of business, with Friday morning allowed for miscellaneous Customer questions or requests, as well as the closeout meeting. Cofense recommends Customer allocate a minimum of eight (8) hours per day for training to maximize the Cofense consultant’s time with Customer.

3. Additional Terms.

a.   Customer agrees that failure to provide timely responses or input as required for performance of the services may impact the timing of performance by Cofense.

b.   Customer and Cofense will jointly develop a project plan as needed to facilitate scheduling of any meetings, reviews, and/or coordination of resources.

COFENSE TRIAGE
PROFESSIONAL SERVICES OPTIMIZATION
SCHEDULE TO EXHIBIT A

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to Cofense Triage Professional Services Optimization provided under an applicable Order.

1.   Professional Services Description. Cofense will provide the following Professional Services in connection with Customer’s current software license to Cofense Triage, during the term set forth in the applicable Order.

a.   Initial Planning. Cofense will provide an agenda to Customer prior to the start of Cofense Triage Review hereunder.

b.   Cofense Triage Review. A Cofense consultant will perform the following, either on-site at Customer’s facilities or remotely as mutually agreed by the Parties:

i.   Review the overall performance of Customer’s Cofense Triage instance.

ii.  Examine Customer’s operational statistics, configuration, and Cofense Triage version usage.

iii. Review Customer’s Cofense Triage use cases, including rules, recipes, and responses being used, according to Customer’s profile and active threats identified in Cofense Triage.

vi.  Ensure proper functionality, responsiveness, and adherence to best practices for Customer’s Cofense Triage instance.

v.   Recommend changes to improve Cofense Triage performance.

vi.  Provide additional ad-hoc platform training as requested by Customer and agreed upon by Cofense.

vii. The services hereunder will be performed over a mutually agreed two (2) day period and will not exceed twenty (20) hours total.

2. Deliverables. Cofense will provide the following Deliverables:

a.   Health assessment report summarizing the results of the services.

b.   Documentation, as applicable, regarding all findings resulting from the services.

3. Additional Terms.

a.   Customer agrees that failure to provide timely responses or input as required for performance of the services may impact the timing of performance by Cofense.

b.   Customer and Cofense will jointly develop a project plan as needed to facilitate scheduling of any meetings, reviews, and/or coordination of resources.

COFENSE VALIDATOR SERVICES
SCHEDULE TO EXHIBIT A

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to Cofense Validator provided under an applicable Order. In the event of any conflict between this Schedule and the Agreement, this Schedule will govern.

1.   Services Description. Cofense will provide Cofense Validator services described herein (the “Services”). Unless otherwise stated in the Order, the Services will automatically renew after the term set forth in the Order for additional periods of one (1) year each, unless either Party notifies the other of its intention not to renew the Services at least sixty (60) days prior to the expiration of the then-current term.

a.   Services Overview. Cofense will use a variety of phishing and malicious emails to determine the type of threats that may be able to bypass Customer’s email security technologies. Cofense will perform testing against the number of Customer’s secure email gateways(s) (“SEG(s)”) stated in the applicable Order, and attempt to bypass email security controls utilizing a mixture of legitimate, pseudo-legitimate, malicious, and pseudo-malicious emails.  Cofense will perform the number of assessments stated in the Order within a twelve (12) month period based on a mutually agreed upon schedule by the Parties.  Each assessment will take up to four (4) weeks to complete each time the Services are performed.

b.   For each assessment, Cofense will:

i.   Assign a Cofense consultant as Customer’s point of contact for the performance of Services under this Schedule.

ii.  Conduct a consultation conference call with Customer, which includes discussion to develop an understanding of Customer’s security environment, and Customer’s current security efforts, as well as assignment of decision-making roles and required processes for Customer under this Schedule.

iii. Send real malicious emails that Cofense identifies in the wild, as well as internally created emails that may be more tailored to obfuscate detection and bypass different types of technologies to determine what type of threats may be able to bypass the different technologies in use for email security.

iv.  Identify any emails that successfully bypass one or more technology solutions and document related details. Information regarding emails that successfully make it through Customer’s SEG(s) will be provided to Customer.

v.   Cofense will perform the Services remotely.

c.   Out of Scope. Services not described herein are out of scope, including but not limited to: red-team or vulnerability testing against the actual email infrastructure hardware or software, configuration validation, iterative testing, or related recommendations, remediation any of security issues discovered.

2. Deliverables. Cofense will provide the following Deliverables for each assessment:

a.   Executive Summary

b.  Analysis Report containing the documentation related to emails that have successfully bypassed one or more SEG(s).

3. Customer Responsibilities and Warranties..

a. Customer agrees to comply with the Cofense services documentation, and its usage guides and policies (“Environment Readiness Documentation”) as a condition to accessing the Services.

b. Customer will create dedicated email account(s) on its email infrastructure that adhere to its existing standard configurations, as further described in the Environment Readiness Documentation. The email account(s) created by Customer will be sent both malicious and non-malicious emails for this engagement and the email accounts and emails must be removed from Customer’s environment by Customer immediately upon completion of the Services.

c. As some of the emails may contain live malware, Customer will restrict any access or use of the provided email accounts and associated emails by any non-Cofense employee.

d. Customer represents and warrants that it has all the rights necessary for Cofense to perform the Services under this Schedule. Customer represents and warrants that all information provided is true and accurate and that Customer owns or is authorized to represent the owners of the systems and networks described in connection with the Services.

e. Customer may inform all or a selected group of its employees, contractors, and other third parties about the Services to be undertaken by Cofense. In the event that Customer decides not to inform anyone of the Services, Customer understands that people may spend time and money on behalf of Customer in detecting, blocking, investigating, or responding to activities of Cofense. IN LIGHT OF THE POSSIBILITY THAT SUCH ACTIONS MAY BE TAKEN AND EXPENDITURES MAY OCCUR, CUSTOMER SHOULD CONSULT WITH CUSTOMER’S LEGAL COUNSEL AND/OR A MEMBER OF EXECUTIVE MANAGEMENT PRIOR TO ANY SUCH ZERO KNOWLEDGE ENGAGEMENTS.

4. Proprietary Rights..

a. Cofense and its licensors own all rights, title and interest, in and to Cofense proprietary materials relating to the Services, including without limitation, software and applications used to provide the Services, materials, Cofense’s Confidential Information, threat intelligence and threat indicators, intelligence alerts and reports, and/or investigation tools, Environment Readiness Documentation, proprietary processes and methods, and any Cofense templates and/or forms (“Cofense IP”). Cofense will have the right to use and publicize its findings from any report provided under the Services in an anonymous form that does not identify Customer. Such anonymized findings will be Cofense IP.

b. Subject to full payment of fees by Customer for the Services and Deliverable in accordance with the terms of the Agreement, Cofense will (a) assign to Customer all copyrights in and to the Deliverables, with the exception of any Cofense IP included therein; and (b) grant to Customer a non-exclusive, royalty-free, worldwide license to use any Cofense IP incorporated into the Deliverable, solely as part of the Deliverable and not separate from the Deliverable, as necessary for Customer to make use of the Deliverable as set forth herein. Deliverables containing Cofense IP may not be shared with any third party other than (i) law enforcement agencies or (ii) third party consultants/subcontractors, provided that: (A) the consultant/subcontractor is under an obligation of confidentiality and non-use restrictions at least as restrictive as those set forth in the Agreement and (B) the consultant/subcontractor is receiving and using the Deliverable for the sole purposes of providing services to Customer.

c. Except for the rights expressly granted in this Schedule, Customer will acquire no other rights, express or implied, in or to Cofense IP, and all rights not expressly provided to Customer hereunder are reserved by Cofense and its licensors. Customer will not directly or indirectly: (i) copy, modify, rent, lease or distribute Cofense IP; (ii) reverse engineer, disassemble, decompile or otherwise attempt to discover the source code or structure, sequence and organization of Cofense IP (except where the foregoing is expressly prohibited by applicable local law, and then only to the extent so prohibited); and (iii) use the Cofense IP to help develop any other product or service.

d. Cofense acknowledges that Customer owns all right, title and interest in and to the information submitted or provided by Customer for purposes of the Services (“Customer Data”) except the data, assessments, analyses or compilations, collected by, derived from, created by or returned by the Services, including any derivative works thereof (excluding any Customer Data included therein). Subject to the licenses granted herein, Cofense acquires no right, title or interest from Customer under this Schedule in or to Customer Data.

e. Feedback. Customer agrees to provide ongoing Feedback to Cofense regarding the Services, including through questionnaires and surveys. Notwithstanding anything in this Schedule or the Agreement to the contrary, Customer grants to Cofense a worldwide, perpetual, irrevocable, royalty-free, fully paid-up license to use and incorporate into the Services any suggestion, enhancement request, recommendation, correction, or other feedback (collectively, “Feedback”) provided by Customer relating to the Services for use by Cofense. Feedback will not include Confidential Information.

f. Customer will not (a) make any negative statement or communication regarding Cofense with the intent to harm Cofense, or (b) make any derogatory or disparaging statement or communication regarding Cofense. Customer agrees to defend, hold harmless, and indemnify Cofense for any breach of the foregoing. Notwithstanding anything in this Section to the contrary, this Section will not prohibit Customer from making any good-faith claim, suit, action or proceeding against Cofense.

5. Grant of Licenses. Cofense will make the Services and related Cofense IP available to Customer during the term of this Schedule. Customer acknowledges that Cofense may access Customer Data submitted in connection with the Services for the purpose of improving the Services and any other of Cofense’s current and future features, products and/or services. Customer grants Cofense a non-exclusive, worldwide, royalty-free, license to use Customer Data for performance of the Services.

6. Additional Terms.

a. THE SERVICES AND COFENSE IP ARE PROVIDED “AS-IS,” EXCLUSIVE OF ANY WARRANTY WHATSOEVER WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE. COFENSE DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. CUSTOMER UNDERSTANDS THAT, ALTHOUGH COFENSE TAKES PRECAUTIONS TO AVOID DAMAGE TO CUSTOMER’S NETWORK AND SYSTEMS, DISRUPTIONS, OUTAGES AND/OR DATA LOSS MAY OCCUR AS A RESULT OF THE SERVICES. Cofense may discontinue the Services at any time, in its sole discretion. Customer represents and warrants that all systems on its network or otherwise accessible during the Services have been backed up, and that any data loss or other damage caused by the Services can be easily and quickly reversed.

b. Customer acknowledges that any Services Cofense is providing hereunder is at Customer’s direction. Customer acknowledges that Cofense will be sending malicious content to Customer’s email security stack and Cofense disclaims any and all bug and/or virus warranties that may be included in the Agreement. Notwithstanding anything in this Schedule or the Agreement to the contrary, Customer freely, knowingly, and voluntarily assumes all risks associated with the Services, whether known or unknown, and whether or not reasonably foreseeable. Customer (a) further releases, waives, and discharges Cofense, its officers, directors, employees and agents (each an “Indemnified Party”) from and against any and all claims, legal proceedings, liabilities, damages, losses, demands, actions, causes of action, injuries, judgments, settlements, costs and expenses (including, without limitation, reasonable attorneys’ fees and costs), whether known or unknown, foreseeable and unforeseeable, and whether arising out of any negligent acts or omissions of an Indemnified Party, that may arise from or in connection with the Services (collectively, the “Released Claims”); and (b) promises and agrees not to sue an Indemnified Party for any of the Services set forth herein. Customer further covenants and agrees to defend, reimburse, indemnify and hold harmless from and against any and all Released Claims that Indemnified Party may incur or suffer directly or indirectly arising out of, relating to, or in connection with anything whatsoever with respect to Customer’s use of the Services, including, but not limited to: (i) any negligent or intentional act or omission by Customer or Indemnified Party with respect to the use or access to the malicious content; (ii) any claim or allegation that such malicious content has damaged real or tangible personal property of Customer or any third party; and (iii) any breach by Customer of the terms of this Schedule.

c. Cofense makes no guarantees about the security or state of Customer’s network and systems and is not responsible for any inadvertent anomalies that occur in performance of the Services, including, without limitation, network or system downtime or lost data. Cofense does not guarantee all security or configuration issues will be found or any specific level of security following completion of the verification. Customer has the sole responsibility for adequate protection and backup of data and its networks and systems used in connection with the Services and will not make a claim against Cofense for any lost data, network or system downtime, inaccurate output, work delays or lost profits resulting from the Services.

d. Confidential Information” means any information disclosed by one party (“Discloser”) to the other (“Recipient”), directly or indirectly, in writing, orally or by inspection of tangible objects, which is designated as “Confidential,” “Proprietary” or some similar designation, or learned by Recipient under circumstances in which such information would reasonably be understood to be confidential. Confidential Information may include information disclosed in confidence to Discloser by third parties. For the purposes of this Schedule, the Service(s), and the results of any performance, functional or other evaluation of the Service(s), will be deemed Confidential Information of Cofense. The Recipient agrees that it will: (i) not use any Confidential Information for any purpose except to evaluate the Service(s) and engage in discussions concerning a potential business relationship between the parties; (ii) use at least the same degree of care as the Recipient uses to protect its own Confidential Information, but in no event less than a reasonable degree of care, to prevent the unauthorized use, dissemination of publication of the Confidential Information; (iii) limit disclosure of Confidential Information to those persons within Recipient’s organization who have a need to know and who have previously agreed in writing, prior to receipt of Confidential Information, either as a condition of their employment or in order to obtain the Confidential Information, to obligations similar to the provisions hereof; and (iv) not disclose any Confidential Information to third parties without the prior written consent of the Discloser. Recipient acknowledges that the disclosure of Confidential Information may cause irreparable injury to the Discloser. Discloser will, therefore, be entitled to seek injunctive relief upon a disclosure or threatened disclosure of any Confidential Information, without a requirement that the Discloser prove irreparable harm and without the posting of a bond. This provision will not in any way limit such other remedies as may be available to the Discloser at law or in equity. Within ten (10) business days of the termination of this Schedule or upon the Discloser’s written request, the Recipient will (at the Recipient’s election) promptly destroy or return all of Discloser’s Confidential Information in the Recipient’s possession.

e. Limitation of Liability. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE AGREEMENT, IN NO EVENT WILL COFENSE BE LIABLE FOR ANY INCIDENTAL, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO THIS SCHEDULE. THE FOREGOING LIMITATIONS ON COFENSE’S LIABILITY WILL APPLY WHETHER OR NOT COFENSE WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES. THE TOTAL LIABILITY OF COFENSE ARISING OUT OF OR RELATED TO THIS SCHEDULE WILL NOT EXCEED THE TOTAL AMOUNT OF FEES PAID OR PAYABLE BY CUSTOMER TO COFENSE UNDER THIS SCHEDULE.

f. Notwithstanding anything in the Agreement or data transfer agreement in place between the Parties, the data and information provided to Cofense for these Services may be processed in the United States. Such data may be transferred to any Cofense location in the provision of Services.

7. Survival. The provisions of Section 4 (Proprietary Rights) and Section 6 (Additional Terms) of this Schedule, will survive the termination of this Schedule and the termination of all applicable ordering documents.

COFENSE PHISHME SUBSCRIPTION
EXHIBIT B

In addition to the terms of the Agreement, the following terms apply to Cofense PhishMeTM.

  1. For the duration of the applicable Subscription Term set forth in the applicable Order and in accordance with the terms of this Agreement, Cofense grants to Customer a non-exclusive, non-transferable, non-assignable right to access Cofense PhishMe, including the applicable Documentation and all associated Cofense IP, for Customer’s internal use only. Customer acknowledges that Cofense has no delivery obligation and will not ship copies of software as part of Cofense PhishMe. If Customer is licensing Cofense ReporterTM Software in conjunction with the Cofense PhishMe Subscription, the terms set forth in Exhibit E – Cofense Reporter Software, will govern Customer’s use of Cofense Reporter. If Customer orders Cofense PhishMe Professional Services in conjunction with the Cofense PhishMe Subscription, the terms set forth in Exhibit A – Professional Services, will govern Cofense’s provision of such Professional Services. If Customer is purchasing a subscription to Cofense IntelligenceTM in conjunction with the Cofense PhishMe Subscription, the terms set forth in Exhibit C – Cofense Intelligence, will govern Customer’s Cofense Intelligence Subscription. If Customer is purchasing a subscription to Cofense LMSTM in conjunction with the Cofense PhishMe Subscription, the terms set forth in Exhibit D – Cofense LMS Subscription, will govern Customer’s Cofense LMS Subscription.
  2. Customer is responsible for its Authorized Users’ compliance with the Agreement, this Exhibit and the Cofense PhishMe Acceptable Use Policy Addendum attached hereto.
  3. Cofense PhishMe includes access to Cofense’s standard computer-based training modules for cybersecurity awareness (“CBTs”) as set forth in the Order. If agreed upon by Cofense, Customer may order additional features or content for the CBTs at the pricing stated in the Order (“CBT Enhancements”).
  4. Customer acknowledges and agrees that the maximum number of Authorized Users will not exceed the number of Authorized Users set forth in the applicable Order. At the beginning of the Subscription Term, Customer will designate and allocate the Authorized Users and will not reassign or replace such Authorized Users (except for those designated by Customer to act as administrators) prior to the expiration of the Subscription Term. Customer may add additional Authorized Users during the Subscription Term, at the same pricing as set forth in the applicable Order, pro-rated for the portion of the Subscription Term remaining at the time.  Customer will provide Cofense with a primary contact person who will approve requests for new administrators. Notwithstanding anything in the Agreement to the contrary, any breach by Customer and its Authorized Users of this Section will result in the immediate suspension or termination of Customer and its Authorized Users’ access to Cofense PhishMe.
  5. Customer may only designate Authorized User’s email addresses with Internet domain names that Customer owns or is authorized by the Internet domain name owner to use for the purposes contemplated herein.
  6. Subscription Availability and Uptime.
    • Cofense will use commercially reasonable efforts to provide Customer administrators with online availability to Cofense PhishMe 99.8% of the time in any calendar month (“Uptime”), excluding downtime caused by Scheduled Maintenance, force majeure events, or acts or omissions of Customer not in accordance with the Agreement and Documentation.
    • Scheduled Maintenance. Scheduled maintenance is used for major upgrades to Cofense applications, servers, or networks.  Scheduled maintenance timeslots are reserved in advance and a customer announcement message is presented to Customer in Cofense PhishMe.
  7. Cofense will, as part of the Subscription, and at no additional cost to Customer, provide Customer with the following support by the Technical Operations Center (TOC):
    • Cofense PhishMe (Enterprise) support (questions concerning basic feature inquiries, troubleshooting, and configuration support) is available 24×6 (Sunday-Friday).
    • Cofense PhishMe (SBE) support (questions concerning basic feature inquiries, troubleshooting, and configuration support) is available 9AM ET to 6:00 PM ET (Monday-Friday).
    • Normal priority requests received outside of support hours are placed in a support queue for processing by TOC Engineers during standard support hours. Urgent issues outside of business hours will be received and escalated by a US based answering service.
    • Special support assistance outside of core hours may be arranged and scheduled by the Parties at a mutually agreed upon date and time. TOC support hours are subject to holiday hours and closures. TOC support hours may be reasonably updated at any time by Cofense, with thirty (30) days’ advanced notice to Customer through the Cofense Community Portal. Customer may refer to the most up to date hours as set forth in the Cofense Community portal.
    • The TOC may be reached via service portal, live chat, and telephone as listed in the Cofense Community portal.

ACCEPTABLE USE POLICY ADDENDUM  FOR
COFENSE PHISHME

By using Cofense PhishMe, you are agreeing to this Acceptable Use Policy Addendum (this “Policy”). Please read this carefully.

Capitalized terms used below but not defined in this Policy will have the meaning set forth in the Agreement. Customer and its Authorized Users must promptly notify Cofense of any actual or suspected illegal or unauthorized activity or a security breach involving Cofense PhishMe.

Customer and its Authorized Users may not:

  1. disseminate material that is abusive, obscene, pornographic, defamatory, harassing, grossly offensive, vulgar, threatening, or malicious;
  2. disseminate materials that would constitute an infringement upon the patents, copyrights, trademarks, trade secrets or other intellectual property rights of others;
  3. use Cofense PhishMe for any illegal purpose, or in violation of any laws;
  4. disseminate materials that would give rise to liability under the Computer Fraud and Abuse Act;
  5. use Cofense PhishMe to commit fraud or engage in other misleading or deceptive activities;
  6. upload to, or transmit from Cofense PhishMe any viruses, worms, defects, Trojan horses, time-bombs, malware, spyware, or any other computer code of a destructive or interruptive nature;
  7. share Cofense PhishMe and any associated Cofense IP and Cofense Confidential Information with any third-parties, except as expressly authorized in advance by Cofense in writing;
  8. use Cofense PhishMe and Cofense IP in any way to provide services to any third-party;
  9. disassemble, decompile, reverse compile, reverse engineer or attempt to discover any source code or underlying ideas or algorithms of Cofense PhishMe and any Cofense IP (except to the limited extent that applicable law prohibits reverse engineering restrictions solely for interoperability purposes);
  10. sell, resell, distribute, sublicense or otherwise transfer, Cofense PhishMe and any Cofense IP, or make the functionality of Cofense PhishMe available to any other party through any means (unless Cofense has provided prior written consent); and
  11. reproduce, alter, modify or create derivatives of the Cofense IP (unless as expressly permitted in this Agreement).

Authorized Users must comply with any Intellectual Property Rights asserted in any Cofense IP provided to Customer for the purposes of using with Cofense PhishMe.  Authorized Users will maintain and not remove or obscure any proprietary notices on Cofense IP.

Remedies. Violation of this Policy may result in civil or criminal liability, and Cofense may, in addition to any other remedy that Cofense may have at law or in equity, terminate any permission for Customer and any Authorized User to access Cofense PhishMe or immediately remove the offending material. In addition, Cofense may investigate incidents that are contrary to this Policy.

Any observations regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense reserves the right to update and modify this Policy at any time from time-to-time. Continued use of Cofense PhishMe by Customer and its Authorized Users after such update or modification will indicate Customer’s acceptance of the updates and/or modifications to this Policy.

COFENSE INTELLIGENCE SUBSCRIPTION
EXHIBIT C

In addition to the terms of the Agreement, the following terms apply to Cofense IntelligenceTM.

  1. For the duration of the applicable Subscription Term set forth in the applicable Order and in accordance with the terms of the Agreement, Cofense grants to Customer a limited, non-exclusive, non-transferable, non-assignable, non-sublicenseable right to use the Cofense Intelligence Subscription, which includes ThreatHQ®, and any Cofense IP (including phishing intelligence data and any reports, threat indicators, threat alerts, materials or information) provided by Cofense through Cofense Intelligence, solely for Customer’s internal business purposes of researching, identification and mitigation of phishing attacks and as otherwise set forth herein, and may not be used for any other purpose. Customer and its Authorized Users may not share Cofense Intelligence or any Cofense IP with any third party, except as expressly authorized in advance by Cofense in writing. Cofense Intelligence may be delivered in the following formats: applicable machine-readable threat intelligence, human readable intelligence reports, and/or the Cofense Intelligence ThreatHQ Portal. Cofense owns all Intellectual Property rights in and to the formats in which Cofense Intelligence is delivered to customer, including any API or code provided by Cofense to Customer. Customer is responsible for its Authorized Users’ compliance with the Agreement and this Exhibit. Customer agrees to provide Cofense the name and job title of a primary point of contract for Cofense Intelligence. The primary point of contact will be responsible for approving new Authorized User accounts to Cofense Intelligence on behalf of Customer and ensuring the list of Customer’s Authorized Users for Cofense Intelligence is accurate and up to date.
  2. Notwithstanding anything in the Agreement to the contrary, Customer may use any “Third-Party Products” (as such term is defined herein) in combination with Cofense Intelligence, provided, however that Cofense does not make any representations and warranties or covenants of any nature or kind with respect to any Third Party Products, nor will Cofense have any liability for any damages that Customer may directly or indirectly incur or suffer as result of or arising from Customer’s use of any Third Party Product in combination with Cofense Intelligence. Customer further agrees and acknowledges that it is subject to a third party’s respective terms and conditions with respect to the use of any Third-Party Products. For purposes of this Exhibit, the term, “Third-Party Products” means any third-party products authorized by Cofense and selected by Customer, for use in combination with Cofense Intelligence.
  3. For any Customer phishing message or communication that Customer or its Authorized User submits to Cofense, Customer hereby grants Cofense a perpetual, irrevocable, worldwide, royalty-free, fully paid-up, non-exclusive, license, including the right to sublicense to third parties, and right to reproduce, fix, adapt, modify, translate, reformat, create derivative works from, publish, distribute, sell, transmit, publicly display, publicly perform, or provide access to electronically, broadcast, display, perform, and use and practice such phishing message or communication as well as all modified and derivative works thereof; provided that such phishing message or communication is deidentified (stripped of any information used to identify Customer, including personal data).
  4. Cofense will, as part of the Subscription, and at no additional cost to Customer, provide Customer with the following:
    • Cofense Intelligence (Enterprise) support (questions concerning basic feature inquiries, ThreatHQ account management, troubleshooting, and configuration support) is available 9AM ET to 6:00 PM ET (Monday-Friday).
    • TOC support hours are subject to holiday hours and closures. TOC support hours may be reasonably updated at any time by Cofense, with thirty (30) days’ advanced notice to Customer through the Cofense Resource Center. Customer may refer to the most up to date hours as set forth in the Cofense Resource Center.
    • Normal priority requests received outside of support hours are placed in a support queue for processing by TOC Engineers during standard support hours. Urgent issues outside of business hours will be received and escalated by a US based answering service.
    • Special support assistance outside of core hours may be arranged and scheduled by the Parties at a mutually agreed upon date and time. TOC support hours are subject to holiday hours and closures. TOC support hours may be reasonably updated at any time by Cofense, with thirty (30) days’ advanced notice to Customer through the Cofense Resource Center. Customer may refer to the most up to date hours as set forth in the Cofense Resource Center.
    • The TOC Intelligence Team may be reached via service portal, live chat, and telephone as listed in the Cofense Resource Center.

COFENSE LMS SUBSCRIPTION
EXHIBIT D

In addition to the terms of the Agreement, the following terms apply to Cofense LMSTM.

    1. For the duration of the applicable Subscription Term set forth in the applicable Order and in accordance with the terms of the Agreement, Cofense grants to Customer a limited, non-exclusive, non-transferable, non-assignable, non-sublicenseable right to use the Cofense LMS Subscription and any Cofense IP provided by Cofense through Cofense LMS, solely for Customer’s internal business purposes of identification and mitigation of phishing attacks and as otherwise set forth herein, and may not be used for any other purpose. Customer and its Authorized Users may not share Cofense LMS or any Cofense IP provided by Cofense through Cofense LMS, with any third party, except as expressly authorized in advance by Cofense in writing. Customer is responsible for its Authorized Users’ compliance with the Agreement and this Exhibit.
    2. Customer is responsible for all Customer materials or content input into, facilitated through, or otherwise used within Cofense LMS and Cofense will not be liable for such Customer materials.  Customer will indemnify, defend and hold Cofense harmless for any and all damages, costs and other losses arising out of the use of content provided by Customer.
    3. Cofense LMS includes access to Cofense’s standard computer-based training modules for cybersecurity awareness (“CBTs”) as set forth in the Order. If agreed upon by Cofense, Customer may order additional features or content for the CBTs at the pricing stated in the Order (“CBT Enhancements”).
    4. Cofense will, as part of the Subscription, and at no additional cost to Customer, provide Customer with the following support by the Technical Operations Center (TOC) LMS team:
      • TOC LMS support (questions concerning feature inquiries, troubleshooting, and configuration support) from 9:00 AM ET through 6:00 PM ET (Monday-Friday).
      • TOC LMS support hours are subject to holiday hours and closures. TOC support hours may be reasonably updated at any time by Cofense, with thirty (30) days’ advanced notice to Customer through the Cofense Community Portal. Customer may refer to the most up to date hours as set forth in the Cofense Community portal.
      • Normal priority requests received outside of support hours are placed in a support queue for processing by LMS Support Engineers during standard support hours.
      • Special support assistance outside of core hours may be arranged by customer request and scheduled at a mutually agreed upon date and time.
      • The TOC LMS support team may be reached via service portal, live chat, and telephone as listed in the Cofense Community portal.

COFENSE REPORTER FOR MOBILE (HOSTING) SUBSCRIPTION
EXHIBIT E

In addition to the terms of the Agreement, the following terms apply to Cofense ReporterTM for Mobile Hosting.

    1. For the duration of the applicable Subscription Term set forth in the applicable Order and in accordance with the terms of this Agreement, Cofense grants to Customer a non-exclusive, non-transferable, non-assignable right to access the applicable version of Cofense Reporter for Mobile (Hosting), including the applicable Documentation, for Customer’s internal use only. Customer acknowledges that Cofense has no delivery obligation and will not ship copies of software as part of Cofense Reporter for Mobile (Hosting). Customer is responsible for its Authorized Users’ compliance with the Agreement and this Exhibit. Authorized User-initiated Cofense Reporter reports must be sent to a mailbox owned by Customer or authorized mailbox.
    2. Notwithstanding anything in the Agreement to the contrary, Customer may use any “Third-Party Products” (as such term is defined herein) in combination with Cofense Reporter, provided, however that Cofense does not make any representations and warranties or covenants of any nature or kind with respect to any Third Party Products, nor will Cofense have any liability for any damages that Customer may directly or indirectly incur or suffer as result of or arising from Customer’s use of any Third Party Product in combination with Cofense Reporter. Customer further acknowledges and agrees that it is subject to a third party’s respective terms and conditions with respect to the use of any Third-Party Products. For purposes of this Exhibit, the term, “Third-Party Products” means any third-party products authorized by Cofense and selected by Customer, for use in combination with Cofense Reporter.
    3. Subscription Availability and Uptime.
      • Cofense will use commercially reasonable efforts to provide Customer administrators with online availability to Cofense Reporter for Mobile (Hosting) 99.8% of the time in any calendar month (“Uptime”), excluding downtime caused by Scheduled Maintenance, force majeure events, or acts or omissions of Customer not in accordance with the Agreement and Documentation.
      • Scheduled Maintenance. Scheduled maintenance is used for major upgrades to Cofense applications, servers, or networks. Scheduled maintenance notice will be provided in advance.
    4. Cofense will, as part of the Subscription, and at no additional cost to Customer, provide Customer with the following support by the Technical Operations Center (TOC):
      • Cofense Reporter for Mobile (Hosting) support (questions concerning basic feature inquiries, troubleshooting, installation and configuration support) is available 9:00 AM ET to 6:00 PM US ET (Monday-Friday).
      • Normal priority requests received outside of support hours are placed in a support queue for processing by TOC Engineers during standard support hours. Urgent issues outside of business hours will be received and escalated by a US based answering service and processed according to the standard TOC Reporter escalation process.
      • Special support assistance outside of core hours may be arranged and scheduled by the Parties at a mutually agreed upon date and time. TOC support hours are subject to holiday hours and closures. TOC support hours may be reasonably updated at any time by Cofense, with thirty (30) days’ advanced notice to Customer through the Cofense Community Portal. Customer may refer to the most up to date hours as set forth in the Cofense Community portal.
      • Customer requestor must have sufficient knowledge about the technical details associated with their service request, knowledge of the configuration of their environment and internal points of contacts or vendors of Third-Party Products in attendance on all technical troubleshooting calls, if integration configuration guidance is needed.
      • The TOC may be reached via service portal, live chat, and telephone as listed in the Cofense Community portal.

COFENSE REPORTER
EXHIBIT F

In addition to the terms of the Agreement, the following terms apply to Cofense ReporterTM.

    1. 1. For the duration of the applicable Subscription Term (or if the Software version of Cofense Reporter, the Software License Term) set forth in the applicable Order and in accordance with the terms of this Agreement, Cofense grants to Customer a non-exclusive, non-transferable, non-assignable right to access or use Cofense Reporter, including the applicable Documentation, for Customer’s internal use only. Authorized User-initiated Cofense Reporter reports must be sent to a mailbox owned by Customer or authorized mailbox. Customer acknowledges and agrees that Cofense may store Customer Data from Cofense Reporter in the United States. Customer acknowledges and agrees that Cofense may use data analyzed in received emails to provide and improve our products and services. Customer is responsible for its Authorized Users’ compliance with the Agreement and this Exhibit.
    2. The use of Cofense Reporter by Customer will be at no cost as long as Customer is under a current Cofense PhishMe Subscription Term or Cofense Triage Software License Term; provided, however, if at any time Customer is using Cofense Reporter and is not under a then-current Cofense PhishMe Subscription Term or Cofense Triage Software License Term, Customer will be charged an annual maintenance fee equal to sixty percent (60%) of the then current Cofense PhishMe or Cofense Triage list price, unless otherwise mutually agreed by the Parties in writing.
    3. Notwithstanding anything in the Agreement to the contrary, Customer may use any “Third-Party Products” (as such term is defined herein) in combination with Cofense Reporter, provided, however that Cofense does not make any representations and warranties or covenants of any nature or kind with respect to any Third Party Products, nor will Cofense have any liability for any damages that Customer may directly or indirectly incur or suffer as result of or arising from Customer’s use of any Third Party Product in combination with Cofense Reporter. Customer further acknowledges and agrees that it is subject to a third party’s respective terms and conditions with respect to the use of any Third-Party Products. For purposes of this Exhibit, the term, “Third-Party Products” means any third-party products authorized by Cofense and selected by Customer, for use in combination with Cofense Reporter.
    4. As part of the license to Cofense Reporter (depending on the email client), Customer may configure the Cofense Reporter icon logo and user facing language. Customer acknowledges and agrees that it will not: a) use any image or language that is abusive, obscene, pornographic, defamatory, harassing, grossly offensive, vulgar, threatening, or malicious; b) use any image or language that infringes upon the patents, copyrights, trademarks, trade secrets or other intellectual property rights of others; and c) use Cofense Reporter for any illegal purpose, or in violation of any laws.

COFENSE VALIDATOR
EXHIBIT G

In addition to the terms of the Agreement, the following terms apply to Cofense ValidatorTM.

  1. For the duration of the applicable Subscription Term set forth in the applicable Order and in accordance with the terms of this Agreement, Cofense grants to Customer a non-exclusive, non-transferable, non-assignable right to access Cofense Validator, including the applicable Documentation and all associated Cofense IP, for Customer’s internal use only.
  2. Customer will obtain all rights, permissions or consents from Authorized Users and other Customer personnel that are necessary to grant the rights and licenses in this Agreement and use of Cofense Validator. 
  3. Customer Responsibilities and Warranties.

a. Customer agrees to comply with the Cofense services documentation, and its usage guides and policies (“Environment Readiness Documentation”) as a condition to accessing the Subscription. To use Cofense Validator, Customer understands that it must create a configuration profile. Without this profile no test will be executed on the customers security stack. To get notified, Customer must select the notification method for both baseline tests and active threat feed. For these notifications to work the Customer user must provide email addresses to be notified.

b. Customer will create dedicated email account(s) on its email infrastructure that adhere to its existing standard configurations, as further described in the Environment Readiness Documentation. The email account(s) created by Customer will be sent both malicious and non-malicious emails for this engagement and the email accounts and emails must be removed from Customer’s environment by Customer immediately upon completion of the Services.

c. As some of the emails may contain live malware, Customer will restrict any access or use of the provided email accounts and associated emails by any non-Cofense employee.

d. Customer represents and warrants that it has all the rights necessary for Cofense to perform the Services under this Schedule. Customer represents and warrants that all information provided is true and accurate and that Customer owns or is authorized to represent the owners of the systems and networks described in connection with the Services.

e. Customer may inform all or a selected group of its employees, contractors, and other third parties about the Services to be undertaken by Cofense. In the event that Customer decides not to inform anyone of the Services, Customer understands that people may spend time and money on behalf of Customer in detecting, blocking, investigating, or responding to activities of Cofense. IN LIGHT OF THE POSSIBILITY THAT SUCH ACTIONS MAY BE TAKEN AND EXPENDITURES MAY OCCUR, CUSTOMER SHOULD CONSULT WITH CUSTOMER’S LEGAL COUNSEL AND/OR A MEMBER OF EXECUTIVE MANAGEMENT PRIOR TO ANY SUCH ZERO KNOWLEDGE ENGAGEMENTS.

4. Proprietary Rights..

a. Cofense and its licensors own all rights, title and interest, in and to Cofense proprietary materials relating to the Services, including without limitation, software and applications used to provide the Services, materials, Cofense’s Confidential Information, threat intelligence and threat indicators, intelligence alerts and reports, and/or investigation tools, Environment Readiness Documentation, proprietary processes and methods, and any Cofense templates and/or forms (“Cofense IP”). Cofense will have the right to use and publicize its findings from any report provided under the Services in an anonymous form that does not identify Customer. Such anonymized findings will be Cofense IP.

b. Subject to full payment of fees by Customer for the Services and Deliverable in accordance with the terms of the Agreement, Cofense will (a) assign to Customer all copyrights in and to the Deliverables, with the exception of any Cofense IP included therein; and (b) grant to Customer a non-exclusive, royalty-free, worldwide license to use any Cofense IP incorporated into the Deliverable, solely as part of the Deliverable and not separate from the Deliverable, as necessary for Customer to make use of the Deliverable as set forth herein. Deliverables containing Cofense IP may not be shared with any third party other than (i) law enforcement agencies or (ii) third party consultants/subcontractors, provided that: (A) the consultant/subcontractor is under an obligation of confidentiality and non-use restrictions at least as restrictive as those set forth in the Agreement and (B) the consultant/subcontractor is receiving and using the Deliverable for the sole purposes of providing services to Customer.

c. Except for the rights expressly granted in this Schedule, Customer will acquire no other rights, express or implied, in or to Cofense IP, and all rights not expressly provided to Customer hereunder are reserved by Cofense and its licensors. Customer will not directly or indirectly: (i) copy, modify, rent, lease or distribute Cofense IP; (ii) reverse engineer, disassemble, decompile or otherwise attempt to discover the source code or structure, sequence and organization of Cofense IP (except where the foregoing is expressly prohibited by applicable local law, and then only to the extent so prohibited); and (iii) use the Cofense IP to help develop any other product or service.

d. Cofense acknowledges that Customer owns all right, title and interest in and to the information submitted or provided by Customer for purposes of the Services (“Customer Data”) except the data, assessments, analyses or compilations, collected by, derived from, created by or returned by the Services, including any derivative works thereof (excluding any Customer Data included therein). Subject to the licenses granted herein, Cofense acquires no right, title or interest from Customer under this Schedule in or to Customer Data.

e. Feedback. Customer agrees to provide ongoing Feedback to Cofense regarding the Services, including through questionnaires and surveys. Notwithstanding anything in this Schedule or the Agreement to the contrary, Customer grants to Cofense a worldwide, perpetual, irrevocable, royalty-free, fully paid-up license to use and incorporate into the Services any suggestion, enhancement request, recommendation, correction, or other feedback (collectively, “Feedback”) provided by Customer relating to the Services for use by Cofense. Feedback will not include Confidential Information.

f. Customer will not (a) make any negative statement or communication regarding Cofense with the intent to harm Cofense, or (b) make any derogatory or disparaging statement or communication regarding Cofense. Customer agrees to defend, hold harmless, and indemnify Cofense for any breach of the foregoing. Notwithstanding anything in this Section to the contrary, this Section will not prohibit Customer from making any good-faith claim, suit, action or proceeding against Cofense.

5. Grant of Licenses. Cofense will make the Services and related Cofense IP available to Customer during the term of this Schedule. Customer acknowledges that Cofense may access Customer Data submitted in connection with the Services for the purpose of improving the Services and any other of Cofense’s current and future features, products and/or services. Customer grants Cofense a non-exclusive, worldwide, royalty-free, license to use Customer Data for performance of the Services.

6. Additional Terms.

a. THE SERVICES AND COFENSE IP ARE PROVIDED “AS-IS,” EXCLUSIVE OF ANY WARRANTY WHATSOEVER WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE. COFENSE DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. CUSTOMER UNDERSTANDS THAT, ALTHOUGH COFENSE TAKES PRECAUTIONS TO AVOID DAMAGE TO CUSTOMER’S NETWORK AND SYSTEMS, DISRUPTIONS, OUTAGES AND/OR DATA LOSS MAY OCCUR AS A RESULT OF THE SERVICES. Cofense may discontinue the Services at any time, in its sole discretion. Customer represents and warrants that all systems on its network or otherwise accessible during the Services have been backed up, and that any data loss or other damage caused by the Services can be easily and quickly reversed.

b. Customer acknowledges that any Services Cofense is providing hereunder is at Customer’s direction. Customer acknowledges that Cofense will be sending malicious content to Customer’s email security stack and Cofense disclaims any and all bug and/or virus warranties that may be included in the Agreement. Notwithstanding anything in this Schedule or the Agreement to the contrary, Customer freely, knowingly, and voluntarily assumes all risks associated with the Services, whether known or unknown, and whether or not reasonably foreseeable. Customer (a) further releases, waives, and discharges Cofense, its officers, directors, employees and agents (each an “Indemnified Party”) from and against any and all claims, legal proceedings, liabilities, damages, losses, demands, actions, causes of action, injuries, judgments, settlements, costs and expenses (including, without limitation, reasonable attorneys’ fees and costs), whether known or unknown, foreseeable and unforeseeable, and whether arising out of any negligent acts or omissions of an Indemnified Party, that may arise from or in connection with the Services (collectively, the “Released Claims”); and (b) promises and agrees not to sue an Indemnified Party for any of the Services set forth herein. Customer further covenants and agrees to defend, reimburse, indemnify and hold harmless from and against any and all Released Claims that Indemnified Party may incur or suffer directly or indirectly arising out of, relating to, or in connection with anything whatsoever with respect to Customer’s use of the Services, including, but not limited to: (i) any negligent or intentional act or omission by Customer or Indemnified Party with respect to the use or access to the malicious content; (ii) any claim or allegation that such malicious content has damaged real or tangible personal property of Customer or any third party; and (iii) any breach by Customer of the terms of this Schedule.

c. Cofense makes no guarantees about the security or state of Customer’s network and systems and is not responsible for any inadvertent anomalies that occur in performance of the Services, including, without limitation, network or system downtime or lost data. Cofense does not guarantee all security or configuration issues will be found or any specific level of security following completion of the verification. Customer has the sole responsibility for adequate protection and backup of data and its networks and systems used in connection with the Services and will not make a claim against Cofense for any lost data, network or system downtime, inaccurate output, work delays or lost profits resulting from the Services.

d. Confidential Information” means any information disclosed by one party (“Discloser”) to the other (“Recipient”), directly or indirectly, in writing, orally or by inspection of tangible objects, which is designated as “Confidential,” “Proprietary” or some similar designation, or learned by Recipient under circumstances in which such information would reasonably be understood to be confidential. Confidential Information may include information disclosed in confidence to Discloser by third parties. For the purposes of this Schedule, the Service(s), and the results of any performance, functional or other evaluation of the Service(s), will be deemed Confidential Information of Cofense. The Recipient agrees that it will: (i) not use any Confidential Information for any purpose except to evaluate the Service(s) and engage in discussions concerning a potential business relationship between the parties; (ii) use at least the same degree of care as the Recipient uses to protect its own Confidential Information, but in no event less than a reasonable degree of care, to prevent the unauthorized use, dissemination of publication of the Confidential Information; (iii) limit disclosure of Confidential Information to those persons within Recipient’s organization who have a need to know and who have previously agreed in writing, prior to receipt of Confidential Information, either as a condition of their employment or in order to obtain the Confidential Information, to obligations similar to the provisions hereof; and (iv) not disclose any Confidential Information to third parties without the prior written consent of the Discloser. Recipient acknowledges that the disclosure of Confidential Information may cause irreparable injury to the Discloser. Discloser will, therefore, be entitled to seek injunctive relief upon a disclosure or threatened disclosure of any Confidential Information, without a requirement that the Discloser prove irreparable harm and without the posting of a bond. This provision will not in any way limit such other remedies as may be available to the Discloser at law or in equity. Within ten (10) business days of the termination of this Schedule or upon the Discloser’s written request, the Recipient will (at the Recipient’s election) promptly destroy or return all of Discloser’s Confidential Information in the Recipient’s possession.

e. Limitation of Liability. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE AGREEMENT, IN NO EVENT WILL COFENSE BE LIABLE FOR ANY INCIDENTAL, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO THIS SCHEDULE. THE FOREGOING LIMITATIONS ON COFENSE’S LIABILITY WILL APPLY WHETHER OR NOT COFENSE WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES. THE TOTAL LIABILITY OF COFENSE ARISING OUT OF OR RELATED TO THIS SCHEDULE WILL NOT EXCEED THE TOTAL AMOUNT OF FEES PAID OR PAYABLE BY CUSTOMER TO COFENSE UNDER THIS SCHEDULE.

f. Notwithstanding anything in the Agreement or data transfer agreement in place between the Parties, the data and information provided to Cofense for these Services may be processed in the United States. Such data may be transferred to any Cofense location in the provision of Services.

7. Survival. The provisions of Section 4 (Proprietary Rights) and Section 6 (Additional Terms) of this Schedule, will survive the termination of this Schedule and the termination of all applicable ordering documents.

 

COFENSE VISION SOFTWARE
EXHIBIT H

In addition to the terms of the Agreement, the following terms apply to Cofense VisionTM.

    1. For the duration of the applicable Software License Term set forth in the applicable Order and in accordance with the terms of the Agreement, Cofense grants to Customer a limited, non-exclusive, non-sublicensable, non-transferrable, non-assignable software license to use Cofense Vision (Software version set forth in the Order), including the applicable Documentation, for Customer’s internal use only (“Software License”). Software License validations will be performed from time to time during the Software License Term across an encrypted communication channel over HTTPS. Customer is responsible for its Authorized Users’ compliance with the Agreement and this Exhibit.
    2. Cofense Vision may only be installed as a virtual machine on one server in Customer’s cloud environment.
    3. Customer will obtain all rights, permissions or consents from Authorized Users and other Customer personnel that are necessary to grant the rights and licenses in this Agreement and use of Cofense Vision. Customer acknowledges and agrees that Cofense Vision is an on-premises software and Customer will not transfer any personal data to Cofense for use with Cofense Vision.
    4. Software Support Services. If Customer is under a current Support Term, Cofense will provide the Software Support Services set forth in the Software Support Services Exhibit, as may be updated by Cofense in its discretion.
    5. Kickstart Services (if ordered). For purposes of this Exhibit, term “Services” will include the Kickstart Services, and the term “Kickstart Services” will mean the Services described in this Section below. If Customer orders Kickstart Services for Cofense Vision, the following will apply:
      1. Cofense will (i) conduct a kickoff call prior to installation of Cofense Vision, (ii) advise the Customer on the recommended email ingestion configuration for Cofense Vision and the Customer’s email environment, and (iii) assist with the scheduling of Cofense and Customer technical resources to complete the Kickstart Services.
      2. Cofense will provide the following guidance: (i) appliance and database deployment, (ii) initial Cofense Vision account setups, (iii) exchange service account and mailbox setups, (iv) exchange journaling setup, (v) Cofense Vision DNS or Smart Host configurations, and (vi) if applicable, Cofense Triage integration with Cofense Vision.
      3. Customer will complete a questionnaire provided by Cofense outlining technical requirements for product installation. Customer agrees that failure to provide timely responses or input as required for performance of the Kickstart Services may impact the timing of performance by Cofense.
      4. The Kickstart Services will be performed over a mutually agreed thirty (30) day period and will not exceed fifteen (15) hours total. The Kickstart Services will be provided remotely. Fees for the Kickstart Services will be set forth in an Order.

COFENSE TRIAGE SOFTWARE
EXHIBIT I

In addition to the terms of the Agreement, the following terms apply to Cofense TriageTM.

    1. For the duration of the applicable Software License Term set forth in the applicable Order and in accordance with the terms of the Agreement, Cofense grants to Customer a limited, non-exclusive, non-sublicensable, non-transferrable, non-assignable software license to use Cofense Triage (Software version set forth in the Order), including the applicable Documentation, for Customer’s internal use only (“Software License”). Software License validations will be performed from time to time during the Software License Term across an encrypted communication channel over HTTPS. Customer is responsible for its Authorized Users’ compliance with the Agreement and this Exhibit. If Customer orders Cofense Triage Professional Services (including Cofense Triage Managed Services) in conjunction with the Cofense Triage Software License, the terms set forth in Exhibit A – Professional Services, will govern Cofense’s provision of such Professional Services. If Customer is purchasing a subscription to Cofense IntelligenceTM in conjunction with the Cofense Triage Software License, the terms set forth in Exhibit C – Cofense Intelligence, will govern Customer’s Cofense Intelligence Subscription.
    2. Cofense Triage may only be (i) installed as a virtual machine on one server in Customer’s environment or (ii) hosted in Cofense’s secure cloud infrastructure.
    3. Cofense grants Customer the right to use Cofense proprietary tags which characterize and organize specific phishing content (“Cofense Rule(s)”) in connection with Cofense Triage, subject to the terms herein. For clarification, Cofense Rules will not contain any Customer Confidential Information or be attributable to Customer. Customer may use Cofense Rules within its own organization, on systems or networks owned or controlled by Customer, but not with any other unaffiliated third party; provided that Customer will not remove any proprietary markings within the Cofense Rules.
    4. Customer may create its own rules to import into Cofense Triage, and Cofense will not share such rules with any other customer of Cofense. Notwithstanding anything in the foregoing to the contrary, for any Customer created-rule that Customer chooses to share with other Cofense Triage customers via Cofense Triage Community Exchange (“Community Exchange Rules”), Customer hereby grants Cofense a perpetual, irrevocable, worldwide, royalty-free, fully paid-up, non-exclusive, license, including the right to sublicense to third parties, and right to reproduce, fix, adapt, modify, translate, reformat, create derivative works from, publish, distribute, sell, transmit, publicly display, publicly perform, or provide access to electronically, broadcast, display, perform, and use and practice such Community Exchange Rule as well as all modified and derivative works thereof.
    5. Customer acknowledges and agrees that Cofense will not be liable for any damages of any nature or kind, directly or indirectly, resulting from (i) Customer or any of its personnel (including its Authorized Users) downloading and using any Cofense Rule or any other type of data from Cofense Triage; and (ii) the integration of Cofense Triage into Customer’s existing or future security system or network.
    6. Notwithstanding anything in the Agreement to the contrary, Customer may use any “Third-Party Products” (as such term is defined herein) in combination with Cofense Triage, provided, however that Cofense does not make any representations and warranties or covenants of any nature or kind with respect to any Third Party Products, nor will Cofense have any liability for any damages that Customer may directly or indirectly incur or suffer as result of or arising from Customer’s use of any Third Party Product in combination with Cofense Triage. Customer further agrees and acknowledges that it is subject to a third party’s respective terms and conditions with respect to the use of any Third-Party Products. For purposes of this Exhibit, the term, “Third-Party Products” means any third-party products authorized by Cofense and selected by Customer, for use in combination with Cofense Triage.
    7. Software Support Services.  If Customer is under a current Support Term, Cofense will provide the Software Support Services set forth in the Software Support Services Exhibit, as may be updated by Cofense in its discretion. Any Updates (as defined in the Software Support Services Exhibit) provided under Support Services and relating to Cofense Triage will be made available to Customer via an encrypted communication channel over HTTPS.  Customer will be responsible for installing such Updates.
    8. Cofense Ask an Expert Feature (if ordered). If Customer orders the Cofense Ask an Expert Feature for Cofense Triage, the following will apply:
      1. Customer must be under a current license for Cofense Triage and fees for Cofense Ask an Expert will be set forth in an applicable Order.
      2. Cofense Ask an Expert consists of ten (10) requests to be asked over a period of one (1) year.
      3. In addition to this Agreement, the Cofense Ask an Expert terms and conditions will apply.
    9. Kickstart Services (if ordered).  For purposes of this Exhibit, term “Services” will include the Kickstart Services, and the term “Kickstart Services” will mean the Services described in this Section below. If Customer orders Kickstart Services for Cofense Triage, the following will apply:
      1. Cofense will (i) conduct a kickoff call prior to installation of Cofense Triage, (ii) advise the Customer on the recommended Cofense Reporter configuration for Cofense Triage and the Customer’s email clients, and (iii) assist with the scheduling of Cofense and Customer technical resources to complete the Kickstart Services.
      2. Cofense will provide the following guidance in order to set up email ingestion: (i) abuse box account information settings, (ii) Cofense Triage third party integration setups, as necessary, (iii) outbound SMTP setup, (iv) identity provider setup, and (v) SSL certificate installation.
      3. One week after the initiation of email ingestion, Cofense will provide guidance on the following: (i) performing initial rule and recipe configurations based on reported emails, (ii) set up of processed email retention history, (iii) configuration of user responses, and (iv) activating threat intelligence. Subsequently, Cofense will conduct a Customer Q&A and transition to support meeting.
      4. Customer will complete a questionnaire provided by Cofense outlining technical requirements for product installation. Customer agrees that failure to provide timely responses or input as required for performance of the Kickstart Services may impact the timing of performance by Cofense.
      5. The Kickstart Services will be performed over a mutually agreed thirty (30) day period and will not exceed fifteen (15) hours total. The Kickstart Services will be provided remotely. Fees for the Kickstart Services will be set forth in an Order.

 

SOFTWARE SUPPORT SERVICES
EXHIBIT J

In addition to the terms of the Agreement, the following terms will govern the Software Support Services with respect to Customer’s license of the applicable Cofense Software.

During the Support Term, Cofense will provide Customer notification of bug fixes, maintenance patches and new releases which may contain minor enhancements to the features or functions of the Software (“Updates”).  Unless otherwise set forth elsewhere in the Agreement, Customer may obtain Updates from Cofense’s server via the Internet.  Cofense reserves the right to impose additional charges for releases of Software (i) that provide major enhancements to the features or functions of the Software, as determined by Cofense at its sole discretion; or, (ii) that provide additional features or perform additional functions not provided or performed by the Software. Support for Software is subject to Cofense’s End of Life Policy as set forth in the Cofense Community portal. 

Technical Operations Center (TOC) for Cofense Reporter, Cofense Vision and Cofense Triage Enterprise Support:

  • Cofense Support (questions concerning basic feature inquiries, troubleshooting, installation and configuration support) is available 9AM ET to 6:00 PM ET (Monday-Friday) US ET.
  • TOC support hours are subject to holiday hours and closures. TOC support hours may be reasonably updated at any time by Cofense, with thirty (30) days’ advanced notice to Customer through the Cofense Community Portal. Customer may refer to the most up to date hours as set forth in the Cofense Community portal.
  • Normal priority requests received outside of support hours are placed in a support queue for processing by TOC Engineers during standard support hours.  Urgent issues outside of business hours will be received and escalated by a US based answering service.
  • Special support assistance outside of core hours may be arranged and scheduled by the Parties at a mutually agreed upon date and time. TOC support hours are subject to holiday hours and closures. TOC support hours may be reasonably updated at any time by Cofense, with thirty (30) days’ advanced notice to Customer through the Cofense Community Portal. Customer may refer to the most up to date hours as set forth in the Cofense Community portal.
  • The TOC Reporter, Vision and Triage Support teams may be reached via service portal, live chat, and telephone as listed in the Cofense Community portal.

COFENSE PROTECT
EXHIBIT K

In addition to the terms of the Agreement, the terms set forth in this Exhibit will apply if Customer orders Cofense Protect.

As used herein, “You” or “Your” refers to the business, government or entity ordering and accessing the Services. “We”, “Us”, or “Our” refers to Cofense Inc. We or You may be referred to individually as a “Party,” or collectively as the “Parties.” Access to the Services for Your own internal use will be governed by these CUSTOMER TERMS OF USE (the “Customer Agreement”). Access to the Services to provide managed security
services to third party end customers (where You have been authorized to do so by Us) will be governed by the MSSP SERVICES TERMS OF USE (the “MSSP Agreement”).

PLEASE NOTE THE CUSTOMER AGREEMENT AND/OR MSSP AGREEMENT, AS APPLICABLE, GOVERNS ACCESS TO THE SERVICES PROVIDED BY US UNLESS YOU (OR THE BUSINESS, GOVERNMENT OR ENTITY YOU REPRESENT) HAVE EXECUTED A SEPARATE WRITTEN AGREEMENT WITH US GOVERNING SUCH SERVICES. PLEASE READ THESE ACCEPTANCE TERMS AND THE APPLICABLE CUSTOMER AGREEMENT AND/OR MSSP AGREEMENT CAREFULLY. CLICKING ON THE “YES” OR “I ACCEPT” BUTTON (OR OTHER BUTTON OR MECHANISM DESIGNED TO ACKNOWLEDGE AGREEMENT TO THE TERMS OF THESE AGREEMENTS) OR ACCESSING OR USING THE SERVICES CONSTITUTES ACCEPTANCE OF THE CUSTOMER AGREEMENT AND/OR MSSP AGREEMENT, AS APPLICABLE. WITHOUT LIMITING THE FOREGOING, YOU ACKNOWLEDGE THAT YOUR SUBMISSION OF AN ORDER AND/OR ORDER FORM FOR THE SERVICES CONSTITUTES AN ACCEPTANCE OF THE CUSTOMER AGREEMENT AND/OR MSSP AGREEMENT, AS APPLICABLE, AND THAT ALL FUTURE ORDERS FOR THE SERVICES FOLLOWING YOUR ACCEPTANCE OF THE APPLICABLE AGREEMENT WILL BE GOVERNED BY THE TERMS OF THE APPLICBLE AGREEMENT. IF YOU AGREE TO THE CUSTOMER AGREEMENT AND/OR MSSP AGREEMENT ON BEHALF OF A BUSINESS, GOVERNMENT, OR OTHER ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE THE POWER AND AUTHORITY TO BIND SUCH BUSINESS, GOVERNMENT, OR OTHER ENTITY TO THE AGREEMENT, AND YOUR AGREEMENT TO THESE APPLICABLE TERMS WILL BE TREATED AS THE AGREEMENT OF SUCH BUSINESS, GOVERNMENT, OR OTHER ENTITY.

IF YOU ARE UNWILLING TO AGREE TO THE CUSTOMER AGREEMENT AND/OR MSSP AGREEMENT, AS APPLICBLE, OR YOU DO NOT HAVE THE RIGHT, POWER AND AUTHORITY TO ACT ON BEHALF OF AND BIND SUCH BUSINESS, GOVERNMENT, OR OTHER ENTITY TO THESE AGREEMENTS, DO NOT CLICK ON THE BUTTON AND DO NOT ACCESS, OR OTHERWISE USE THE SERVICES. IF YOU RECEIVE THE SERVICES THROUGH ONE OF OUR AUTHORIZED RESELLERS, PARTNERS OR DISTRIBUTORS (COLLECTIVELY, “AUTHORIZED PARTNER”), ALL FEES AND OTHER PROCUREMENT AND DELIVERY TERMS WILL BE AGREED BETWEEN YOU AND THE AUTHORIZED PARTNER; HOWEVER, THE TERMS SET FORTH IN THE APPLICABLE CUSTOMER AGREEMENT AND/OR MSSP AGREEMENT REGARDING YOUR USE OF THE SERVICES REMAIN APPLICABLE. FOR CLARIFICATION, YOUR AGREEMENT WITH THE AUTHORIZED PARTNER IS BETWEEN YOU AND THE AUTHORIZED PARTNER ONLY AND SUCH AGREEMENT IS NOT BINDING ON US.

IF YOU DO NOT AGREE TO ALL OF THE FOLLOWING, YOU MAY NOT USE OR ACCESS THE SERVICES IN ANY MANNER.

THE CUSTOMER AGREEMENT OR MSSP AGREEMENT MAY NEED TO CHANGE ALONG WITH THE SERVICES. WE RESERVE THE RIGHT TO CHANGE THE APPLICABLE AGREEMENT AT ANY TIME, BUT IF WE DO, WE WILL BRING IT TO YOUR ATTENTION BY PLACING A NOTICE ON OUR WEBSITE, AND/OR BY SENDING YOU AN EMAIL, AND/OR BY SOME OTHER MEANS. WE FURTHER RESERVE THE RIGHT TO MODIFY THE SERVICES AT ANY TIME WITHOUT NOTICE TO YOU. IF YOU DON’T AGREE WITH THE CHANGES TO THE APPLICABLE AGREEMENT, YOU ARE FREE TO REJECT IT; UNFORTUNATELY, THAT MEANS YOU WILL NO LONGER BE ABLE TO USE THE SERVICES. IF YOU USE THE SERVICES IN ANY WAY AFTER A CHANGE TO THE APPLICABLE AGREEMENT IS EFFECTIVE, THAT MEANS YOU AGREE TO ALL OF THE CHANGES.

ALL OF THE DEFINED TERMS USED ABOVE ARE HEREBY INCORPORATED INTO THE CUSTOMER AGREEMENT AND MSSP AGREEMENT. CUSTOMER TERMS OF USE Where You are ordering the Services for Your own internal use, the terms of the following Customer Agreement apply.

1. Definitions
“Authorized Users” means Your authorized employees, agents or independent contractors with an assigned unique email address (i) who may access the Services; and/or (ii) whose email accounts are being used with the Services.

“Customer Data” means the information submitted or provided by You and Your Authorized Users for use with the Services.

“Our IP” means all of Our proprietary materials, including without limitation, the Services, Our Confidential Information, APIs, software, threat intelligence and threat indicators, intelligence alerts and reports, and/or investigation tools, Aggregate Data, Documentation, proprietary processes and methods, and any of Our templates and/or forms.

“Documentation” means the Services user manuals provided by Us to Our customers (which may be in electronic format), as amended from time to time by Us.

“Intellectual Property Rights” means copyrights (including, without limitation, the exclusive right to use, reproduce, modify, distribute, publicly display and publicly perform the copyrighted work), trademark rights (including, without limitation, trade names, trademarks, service marks, and trade dress), patent rights (including, without limitation, the exclusive right to make, use and sell), trade secrets, moral rights, right of publicity, authors’ rights, contract and licensing rights, goodwill and all other intellectual property rights as may exist now and/or hereafter come into existence and all renewals and extensions thereof.

“Order” means (i) a quotation, proposal, or pricing offer issued to You by Us that is signed by both Parties or to which You have confirmed acceptance in writing (“Quote”), (ii) a written purchase order or similar ordering document, signed or submitted by You and accepted by Us, under which You agree to purchase the Services (“Purchase Order”), or (iii) a quotation, proposal, or pricing offer issued by Us to You at the time of the sign-up for an evaluation or provided by Us to You after the evaluation sign up and prior to the end of Your evaluation described in Section 2 of this Customer Agreement (Evaluations and Beta Products), which You will be deemed to have accepted if You do not provide Us notice of cancellation prior to the end of the evaluation period and the Parties have not otherwise not agreed to a Quote or Purchase Order. It is agreed that all Orders for the Services will incorporate the terms of this Customer Agreement, whether expressly referenced or not, and will only be accepted subject to the terms of this Customer Agreement. The terms and conditions of this Customer Agreement will govern all Orders, and any additional or different terms in an Order are deemed void and of no effect unless such additional or different terms are agreed upon by the Parties in writing. For clarity, acceptance by Us of Your purchase order or similar ordering document will not be deemed an acceptance of any conflicting or additional terms and conditions.

2. Evaluations and Beta Products
1. If We provide the Services, along with any other related materials and documentation for Your evaluation purposes, then We grant You a limited, nontransferable, non-assignable, non-sublicensable right to use the Services, subject to the terms of this Customer Agreement and any other limitations communicated to You. You may use the Services for Your own internal evaluation purposes from the date in which You access the Services, until the expiration date We provide You, or, if no expiration date is provided, for a period of up to thirty (30) days from the date of first accessing the Services. We may extend your evaluation in our sole discretion. If You do not provide Us notice to cancel Your evaluation prior to the expiration of the applicable evaluation period, Your subscription to the Services will automatically begin upon expiration of the evaluation period, subject to and governed by this Customer Agreement, and You will be deemed to have accepted the quotation or proposal provided by Us at the time of the evaluation sign-up or provided by Us to You after the evaluation sign up and prior to the end of Your evaluation, and We will charge You at the pricing stated therein unless the Parties have agreed to a Quote or Purchase Order. If You cancel before the end of Your evaluation, You will not be charged. Any continued access or use of the Services after the evaluation period remains subject to the Customer Agreement. Your eligibility for a free evaluation offer is determined solely by Us and Your access to any free evaluation offer is provided at Our sole discretion. The Services are provided to You “AS-IS”, and to the extent permitted by applicable law, We disclaim all indemnities and warranties relating to the evaluation, express or implied, including but not limited to any warranties against infringement of third-party rights, merchantability, and fitness for a particular purpose. You acknowledge that the Services are Our intellectual property. At the end of the evaluation period, all evaluation licenses granted herein will automatically terminate and You will delete or return any of Our Confidential Information in Your possession and provide written certification of such destruction or return in writing to Us. You understand that We may disable access to the Services automatically at the end of the evaluation period, without notice to You. This Section will take precedence over any contradictory language in this Customer Agreement as it relates to an evaluation.
2. Beta Products. We make no warranties regarding the performance of beta or pre-release products (“Beta Products”). You understand and acknowledge that Beta Products are Our IP and are being provided as a “Beta” version and made available on an “As Is” or “As Available” basis. The Beta Products may contain bugs, errors, and other problems. YOU ASSUME ALL RISKS AND ALL COSTS ASSOCIATED WITH YOUR USE OF THE BETA PRODUCTS. In addition, we are not obligated to provide any maintenance, technical, or other support for the Beta Products. Notwithstanding anything to the contrary herein, Our entire liability arising out of or related to the Beta Products will not exceed US $100. Access to Beta Products may be subject to different or additional terms provided with the Beta Products.

3. Ordering and Services Term
We will provide the Services set forth in Orders pursuant and subject to this Customer Agreement. The term of the Services is specified in the applicable Order or, if no period of time for the Services is specified, for a period of one (1) month from the date in which access to the Services was made available to You (“Initial Services Term”). Unless otherwise stated on the Order, the Services will automatically renew after its Initial Services Term for additional periods equal in length to the Initial Services Term (each, a “Renewal Services Term” and together with the Initial Services Term, the “Services Term”), unless either Party notifies the other of its intention not to renew the Services at least thirty (30) days prior to the expiration of the then-current Services Term. In the event You add additional Authorized Users during the Services Term, You will be billed for the additional Authorized Users at the pricing set forth in the applicable Order. For the duration of the applicable Services Term set forth in the applicable Order and in accordance with the terms of this Customer Agreement, We grant You a non-exclusive, non-transferable, non-assignable right to access the Services, including the applicable Documentation and Our IP associated with the Services, for Your internal use only. You acknowledge that We have no delivery obligation and will not ship copies of software as part of the Services. If You are purchasing a subscription to the simulation training module in conjunction with Cofense Protect, the terms set forth in Schedule 1 will govern your subscription. If You are purchasing a subscription to Cofense Reporter™ in conjunction with Cofense Protect, the terms set forth in Schedule 2 will govern Your subscription to Cofense Reporter™.

4. Paying for the Services
You will pay the fees for the Services set forth in the applicable Order and the renewals thereof (“Fees”). All Fees will be fully billed in advance, unless otherwise agreed by the Parties in writing. You may cancel Your Services at any time, but no refunds will be issued for Fees due. Fees are exclusive of all tariffs, duties or taxes imposed or levied by any government or governmental agency, including without limitation, federal, state and local sales, use, value added or other similar taxes (collectively, “Taxes”) and You are responsible for paying all Taxes applicable to the Services. In the event We are obligated to collect and pay indirect Taxes for the Fees, You agree to pay any indirect Taxes that may be added to the payment of any outstanding Fees and will be reflected in the invoice or subsequently invoiced if the Fees were previously paid. You will reimburse Us for any and all expenses incurred by Us so long as such expenses are directly attributable to the Services provided to You. You agree to pay all Fees, in full, within thirty (30) days. If You fail to make any payment when due, then interest at a rate of one and one-half percent (1.5%) per month will accrue on such unpaid, undisputed amounts, calculated from the date the payment was originally due. Credit card payments may incur additional fees. If You dispute any invoice, You will promptly notify Us of the disputed amount, but in no event later than the date payment is due, with an explanation of the reasons therefor. In the event of non-payment or any action at law or in equity necessary to enforce or interpret the terms of this Customer Agreement for non-payment, You agree to pay all of Our reasonable attorneys’ fees and collection costs and expenses associated with the collection of such debt, to the fullest extent permitted by applicable law.

5. Using the Services
1. Your log-in to the Services is via the Google or Microsoft Office 365 accounts. We use Google or Microsoft Office 365 permissions granted to Us by You, to provide You the Services.
2. You (i) are responsible for the use of the Services by You and Your Authorized Users in compliance with this Customer Agreement, including any applicable exhibits, addenda, Documentation and applicable laws and government regulations; (ii) are responsible for all activity relating to Your account, including without limitation ensuring that all usernames and passwords for the Services are kept secure and confidential at all times; (iii) are responsible for the accuracy, quality and legality of Your Data, including the lawful use and transmission of Your Data provided by You and Your Authorized Users in connection with the Services; (iv) will obtain all rights, permissions or consents from Authorized Users and other of Your personnel that are necessary to grant the rights and licenses in this Customer Agreement; and (iv) will use commercially reasonable efforts to prevent unauthorized access to or use of Our IP and Services, and will notify Us promptly of such unauthorized use.
3. You may only designate Authorized User’s email addresses with Internet domain names that You own or are authorized by the Internet domain name owner to use for the purposes contemplated herein. You acknowledge and agree that the maximum number of Authorized Users will not exceed the number of Authorized Users You ordered.
4. You represent, warrant, and agree that You will not submit Customer Data or otherwise use the Services or interact with the Services in a manner that:
i. Infringes or violates the intellectual property rights or any other rights of anyone
ii. Violates any law or regulation, including any applicable export control laws;
iii. Is harmful, fraudulent, deceptive, threatening, harassing, defamatory, obscene, or otherwise objectionable;
iv. Jeopardizes the security of Your account or anyone else’s (such as allowing someone else to log in to the Services as You);
v. Attempts, in any manner, to obtain the password, account, or other security information from any other user;
vi. Violates the security of any computer network, or cracks any passwords or security encryption codes;
vii. Runs Maillist, Listserv, any form of auto-responder or “spam” on the Services, or any processes that run or are activated while You are not logged into the Services, or that otherwise interfere with the proper working of the Services (including by placing an unreasonable load on the Services’ infrastructure);
viii. “Crawls,” “scrapes,” or “spiders” any page, data, or portion of or relating to the Services (through use of manual or automated means);
ix. Copies or stores any significant portion of the Services;
x. Stores or transmit infringing, libelous, or otherwise unlawful or tortious material, or stores or transmits material in violation of third-party privacy or other rights; and
xi. Decompiles, reverse engineers, or otherwise attempts to obtain the source code or underlying ideas or information of or relating to the Services. A violation of any of the foregoing is grounds for termination of Your right to use or access theServices.
5. You may use “Third-Party Products” (as such term is defined in this paragraph) in combination with the Services, provided, however that We do not make any representations and warranties or covenants of any nature or kind with respect to any Third Party Products, nor will We have any liability for any damages that You may directly or indirectly incur or suffer as result of or arising from Your use of any Third Party Product in combination with the Services. You further acknowledge and agree that it is subject to a third party’s respective terms and conditions with respect to the use of any Third-Party Products. “Third-Party Products” means any third-party products authorized by Us and selected by You, for use in combination with the Services. You acknowledge and agree that any data, including personal information, You provide when using the Third-Party Products may be collected, stored, processed and transferred by the applicable third party provider in accordance with that third party provider’s privacy policy and You represent and warrant that You have obtained any required consent by the Authorized Users and any applicable regulatory body to do the foregoing.

6. Termination
1. We may terminate (or suspend access to) Your use of the Services or Your account for any breach of this Customer Agreement. We have the sole right to decide whether You are in violation of any of the restrictions set forth in this Customer Agreement. Account termination may result in deletion of any Customer Data associated with Your account. You may terminate this Customer Agreement if We commit a material breach and fail to remedy such breach within thirty (30) days of being notified by You of such breach (“Cure Period”).
2. If We terminate this Customer Agreement due to Your material breach, We will not refund any amounts to You. If You terminate the Services for Our material breach, You will receive a refund for the remainder of the then-current term for such Services; provided that You will not be entitled to any refund if You are also in breach of the Customer Agreement at the time of such termination. If You terminate the Services other than for Our material breach, You will not receive a refund or credit of any fees already paid or due to Us and, if applicable, all outstanding Services fees will accelerate and become immediately due and payable.
3. Upon termination of the Services for any reason, all access rights and licenses granted herein will immediately terminate.

7. Confidentiality and Privacy
1. “Confidential Information” means any non-public, confidential, or proprietary information of a disclosing Party (“Discloser”) that should reasonably be understood by the receiving Party (“Recipient”) to be confidential because of (i) legends or other markings; (ii) the circumstances of disclosure; or (iii) the nature of the information, which may be disclosed either directly or indirectly, in writing, visual, orally or by inspection of tangible objects (including without limitation documents, prototypes, samples, products, software, product specifications and white papers) or other means. Confidential Information includes but is not limited to technology and technical information, promotional and marketing activities, inventions, finances and financial plans, customers, business and product plans, know-how, source code, data, algorithms, methods and processes, trade secrets, designs, techniques, analyses, models, strategies and objectives, and any third-party information that Discloser is otherwise obligated to keep confidential.
2. Recipient will: (i) not use any Confidential Information for any purpose except to evaluate and engage in discussions concerning a potential business relationship between the Parties and/or to fulfill its obligations under this Customer Agreement; (ii) use at least the same degree of care as Recipient uses to protect its own confidential information from unauthorized use, access or disclosure, but in no event less than a reasonable degree of care; (iii) limit disclosure of Confidential Information to those persons within Recipient’s organization who have a need to know and who have previously agreed in writing, prior to the receipt of Confidential Information, to be bound by confidentiality obligations similar to those set forth in this Customer Agreement; (iv) not disclose any Confidential Information to third parties without Discloser’s prior written consent; (v) not copy, reverse engineer, disassemble, create any works from, or decompile any prototypes, software or other tangible objects which embody Discloser’s Confidential Information; and (vi) comply with, and obtain all required authorizations arising from, all U.S. and other applicable export control laws or regulations. Any reproduction of Confidential Information requires Discloser’s prior written consent and will remain the property of Discloser. Any reproductions will contain any and all notices of confidentiality contained on the original Confidential Information.
3. The foregoing confidentiality obligations will not apply to information that Recipient can demonstrate: (i) is publicly known and made generally available through no improper action or inaction of Recipient; (ii) was already in the possession of, or known by Recipient prior to the time of disclosure by Discloser through no fault or breach of this Customer Agreement by Recipient; (iii) was rightfully obtained by, or disclosed to, Recipient from a third party without any obligation to maintain the Confidential Information as proprietary or confidential; or (iv) is independently developed by Recipient without use of or reference to Discloser’s Confidential Information. Recipient may disclose Confidential Information to the extent such disclosure is required to comply with applicable law or a valid order or requirement of a governmental or regulatory agency or court of competent jurisdiction, provided that Recipient (a) restricts such disclosure to the maximum extent legally permissible; (b) notifies Discloser as soon as practicable of any such requirement to the extent such provision of prior notice is permitted by applicable law; and (c) that subject to such disclosure, such disclosed materials will in all respects remain subject to the restrictions set forth in this Customer Agreement
4. Within thirty (30) days of the termination of this Customer Agreement or upon Discloser’s written request, Recipient will promptly, at Recipient’s election, destroy or return all of Discloser’s Confidential Information in Recipient’s possession or in the possession of any representative of Recipient; provided, however, that Recipient will not, in connection with the foregoing obligations, be required to delete Confidential Information held electronically in archive or back-up systems, and such Confidential Information will in all respects remain subject to the restrictions set forth in this Customer Agreement. Upon Discloser’s written request, Recipient will provide a certification, signed by an officer of Recipient, as to the destruction or return of Discloser’s Confidential Information.
5. Discloser retains all right, title and interest to its Confidential Information. Recipient acknowledges that the disclosure of Confidential Information may cause irreparable injury to Discloser. Discloser will, therefore, be entitled to seek injunctive relief upon a disclosure or threatened disclosure of any Confidential Information, without a requirement that Discloser prove irreparable harm and without the posting of a bond. This provision will not in any way limit such other remedies as may be available to Discloser at law or in equity. ALL CONFIDENTIAL INFORMATION IS PROVIDED “AS IS.” DISCLOSER MAKES NO WARRANTIES, EXPRESS, IMPLIED OR OTHERWISE, REGARDING ITS ACCURACY, COMPLETENESS OR PERFORMANCE.
6. You will ensure that: (i) You are entitled to transfer any relevant personal data to Us so that We may lawfully use, process and transfer the personal data on Your behalf and in accordance with this Customer Agreement; and (ii) the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection laws. You represent and warrant that You have obtained all necessary rights, permissions, or consents from Authorized Users and any applicable regulatory body prior to using the Services to comply with applicable laws and regulations, including, without limitation, the EU General Data Protection Regulation 2016/679, the Wiretap Act 1979 of the State of Israel, and the Protection of Privacy Regulations (Information Security) 2017 of the State of Israel. We will process personal information in connection with the use of the Services in accordance with the Privacy Policy, available at https://cyberfish.io/privacy (“Privacy Policy”).
7. We will: (i) process personal data in compliance with and subject to this Customer Agreement and any lawful and reasonable instructions received from You that are consistent with this Customer Agreement; (ii) not use or process or permit any of Our subcontractors to use or process, any personal data except to the extent necessary to perform Our obligations under this Customer Agreement; (iii) implement and maintain adequate and reasonable technical and organizational safeguards designed to protect against the unauthorized or accidental access, loss, alteration, disclosure or destruction of personal data in Our possession or control; (iv) ensure that we have appropriate procedures in place designed to comply with applicable data protection laws and will take all reasonable steps to ensure that persons employed by Us, and other persons engaged Our place of work, comply with applicable data privacy laws and regulations.
8. We may process or otherwise transfer personal data in or to any country outside the European Economic Area or any country not deemed adequate by the European Commission pursuant to applicable data protection laws to the extent necessary for the provision of the Services. If required, We will enter into the EU Standard Contractual Clauses as approved by the European Commission for ensuring an adequate level of data protection in respect of the personal data that will be processed or transferred.
9. We will not sell, process, retain, disclose, or use (i) for a commercial purpose or (ii) outside of the direct business relationship between the Parties, any Customer Data that, under the California Consumer Privacy Act (“CCPA”) constitutes “personal information” (“CA Personal Information”), except to provide the Services or as permitted by CCPA. Notwithstanding anything in this Customer Agreement, the Parties acknowledge and agree that Our access to CA Personal Information or any other Customer Data does not constitute part of the consideration exchanged by the Parties in respect of this Customer Agreement.

8. Intellectual Property
1. Intellectual Property Rights in Our IP belong exclusively to Us or Our licensors. You acknowledge and agree that You will not (and will not allow any third party), in whole or in part, to directly or indirectly: (i) disassemble, decompile, reverse compile, reverse engineer or attempt to discover any source code or underlying ideas or algorithms of any of Our IP (except to the limited extent that applicable law prohibits reverse engineering restrictions solely for interoperability purposes), (ii) sell, resell, distribute, sublicense or otherwise transfer, Our IP, or make the functionality of Our IP available to any other party through any means (unless We have provided prior written consent), or (iii) reproduce, alter, modify or create derivatives of Our IP (unless as expressly permitted in this Customer Agreement). You will maintain the copyright notice and any other notices that appear on Our IP, including any interfaces related to the Services.
2. You acknowledge and agree that You will not (and will not allow any third party), in whole or in part, to directly or indirectly: (i) disassemble, decompile, reverse compile, reverse engineer or attempt to discover any source code or underlying ideas or algorithms of any of Our IP (except to the limited extent that applicable law prohibits reverse engineering restrictions solely for interoperability purposes), (ii) sell, resell, distribute, sublicense or otherwise transfer Our IP, or make the functionality of Our IP available to any other party through any means (unless We have provided prior written consent), or (iii) reproduce, alter, modify or create derivatives of Our IP (unless as expressly permitted in this Customer Agreement). You will maintain the copyright notice and any other notices that appear on Our IP, including any interfaces related to the Services.
3. We own all Intellectual Property Rights in and to Aggregate Data, and may use, reproduce, sell, publicize or otherwise exploit Aggregate Data in any way, in Our sole discretion. “Aggregate Data” refers to Customer Data that is de-identified (stripped of any information used to identify You, including personal data). Aggregate Data will also include statistical information related to the use and performance of the Services, provided that such statistical information is de-identified. You grant to Us a worldwide, perpetual, irrevocable, royalty-free, fully paid-up license to use and exploit any suggestion, enhancement request, recommendation, correction or other feedback (“Feedback”) provided by You or Your Authorized Users relating to the Services. Feedback will not include Confidential Information.
4. We acknowledge that You own all right, title, and interest in and to Customer Data (excluding Aggregate Data). You grant to Us the worldwide right to use, access, host, copy, transmit, modify and display Customer Data, as reasonably necessary for Us to perform Our obligations in accordance with this Customer Agreement. We may disclose Customer Data to Our third-party contractors and service providers (including cloud service providers) to the extent necessary to provide the Services in accordance with this Customer Agreement; provided that such third-party contractors and service providers are bound by confidentiality obligations similar to the provisions of this Customer Agreement. You acknowledge and agree We may use Customer Data to provide and improve our products and services.
5. U.S. Government Restricted Rights. Our IP Services are “commercial items”, “commercial computer software” and “commercial computer software documentation,” pursuant to DFARS Section 227.7202 and FAR Sections 12.211-12.212, as applicable. All Our IP and Services are and were developed solely at private expense and the use of Our IP and Services by the United States Government are governed solely by this Customer Agreement and are prohibited except to the extent expressly permitted by this Customer Agreement.

9. Warranty Disclaimer and Indemnity
We expressly disclaim any Customer Data which You have generated for use with the Services, and You agree to indemnify, hold harmless and, at Our option, to defend Us, Our officers, directors, employees, affiliates contractors and agents from and against any losses, liabilities, damages, costs and expenses (including reasonable attorneys’ fees) incurred as a result of a) any alleged or actual violations of any third party rights arising out of the Customer Data, including without limitation claims related to the unauthorized disclosure or exposure of personal data or other private information, failure to obtain required consents, claims that the Customer Data infringes a third party right, and b) claims arising from Customer’s use of the Services in violation of this Customer Agreement. THE SERVICES ARE PROVIDED ON AN “AS IS” BASIS WITHOUT ANY WARRANTY WHATSOEVER AND WE EXPRESSLY DISCLAIM, TO THE MAXIMUM EXTENT PERMISSIBLE UNDER APPLICABLE LAW, ALL WARRANTIES, EXPRESS, IMPLIED AND STATUTORY, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, NONINFRINGEMENT, OR ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. WE ALSO MAKE NO WARRANTY REGARDING NONINTERRUPTION OF USE OR FREEDOM FROM BUGS, AND MAKE NO WARRANTY THAT THE SERVICES WILL BE ERROR-FREE. WE DO NOT GUARANTEE ANY SPECIFIC RESULTS FROM USING THE SERVICES.

10. Limitation of Liability
TO THE FULLEST EXTENT ALLOWED BY APPLICABLE LAW, UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, TORT, CONTRACT, STRICT LIABILITY, OR OTHERWISE) SHALL WE (OR OUR LICENSORS OR SUPPLIERS) BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR (A) SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES OF ANY KIND, INCLUDING BUT NOT LIMITED TO ANY LOST PROFITS LOST SAVINGS, LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION, HOWEVER CAUSED, WHETHER FOR BREACH OR REPUDIATION OF CONTRACT, TORT, BREACH OF WARRANTY, NEGLIGENCE, OR OTHERWISE, WHETHER OR NOT WE WERE ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES OR (B) ANY AMOUNT, IN THE AGGREGATE, IN EXCESS OF THE GREATER OF (I) $100 OR (II) THE AMOUNTS PAID BY YOU TO US FOR THE SERVICES DURING THE TWELVE (12) MONTHS PRIOR TO THE FIRST EVENT GIVING RISE TO SUCH LIABILITY.
THE LIMITATIONS AND EXCLUSIONS CONTAINED HEREIN WILL APPLY ONLY TO THE MAXIMUM EXTENT PERMISSIBLE UNDER APPLICABLE LAW, AND NOTHING HEREIN PURPORTS TO LIMIT EITHER PARTY’S LIABILITY IN A MANNER THAT WOULD BE UNENFORCEABLE OR VOID AS AGAINST PUBLIC POLICY IN THE APPLICABLE JURISDICTION.

11. Miscellaneous
1. This Customer Agreement is governed by and construed in accordance with the laws of the State of Delaware and the United States without regard to conflicts of laws provisions thereof, and without regard to the United Nations Convention on the International Sale of Goods. The Parties agree that the Uniform Computer Information Transactions Act or any version thereof, adopted by any state, in any form, will not apply to this Customer Agreement.
2. Any assignment of this Customer Agreement by You to another party, including any transfer by operation of law or otherwise, without the other Party’s prior written consent (which consent will not be unreasonably withheld) will be null and void; provided, however, that You may assign this Customer Agreement without consent, to an affiliate or in connection with any merger, asset purchase or sale, stock purchase or sale or similar change of control transaction.
3. We may use subcontractors in the performance of Our obligations. We will disclose subcontractors having access to Customer Data upon Your written request. 4. The provisions of the following Sections and all accrued payment obligations will survive the termination of this Customer Agreement: Section 4 (Paying for the Services), Section 7 (Confidentiality and Privacy), Section 8 (Intellectual Property), Section 9 (Warranty Disclaimer and Indemnity), Section 10 (Limitation of Liability), and Section 11 (Miscellaneous).
5. Each Party acknowledges that it is familiar with and understands the provisions of applicable anti-corruption laws, including but not limited to FCPA or UKBA, and agrees not to violate or knowingly let anyone such laws. You agree that no payment You make will constitute a bribe, influence payment, kickback, rebate, or other payment that would violate applicable anti-corruption or anti-bribery laws. You agree that at Our request, You will furnish Us a certification signed by Your authorized representative verifying that the Services are being used in accordance with this Customer Agreement.
6. This Customer Agreement constitutes the complete and entire agreement between the Parties with respect to the Services. It replaces and supersedes any prior agreements, oral or written, between the Parties concerning the subject matter hereof. We hereby reject and deem deleted any additional or different terms or conditions that You present, including, but not limited to, any terms or conditions contained or referenced in any purchase order, acceptance, or acknowledgement. No amendment to this Customer Agreement will be effective unless it is in writing and signed by the authorized representatives of each Party. With the exception of Your obligation to make payments due and payable to Us, neither Party will be considered to be in breach or default of this Customer Agreement as a result of its delay or failure to perform its obligations herein when such delay or failure arises out of causes beyond the reasonable control of the Party whose performance has been affected. Nothing in this Customer Agreement will benefit or create any right or cause of action in or on behalf of any person or entity other than the Parties. The failure of a Party to exercise or enforce any right or provision of this Customer Agreement will not constitute a waiver of such right or provision. If any provision of this Customer Agreement is held to be invalid or unenforceable, the remaining provisions of this Customer Agreement will remain in full force and effect.

COFENSE SAT SUBSCRIPTION SCHEDULE 1

In addition to the terms of the Customer Agreement, the following terms apply to the simulation training module and twelve (12) courses, Cofense SAT.
1. For the duration of the applicable Services Term set forth in the applicable Order and in accordance with the terms of the Customer Agreement, Cofense grants to You a non-exclusive, non-transferable, non-assignable right to access Cofense SAT, including the applicable Documentation and Our IP, for Your internal use only. You acknowledge that Cofense has no delivery obligation and will not ship copies of software as part of Cofense SAT.
2. You are responsible for its Authorized Users’ compliance with the Customer Agreement, this Schedule and the Acceptable Use Policy Addendum.
3. You acknowledge and agree that the maximum number of Authorized Users will not exceed the number of Authorized Users set forth in the applicable Order, and You may only use Cofense SAT with Authorized Users of Cofense Protect. You may add additional Authorized Users during the Services Term, at the same pricing as set forth in the applicable Order, pro-rated for the portion of the Services Term remaining at the time. You will provide Us with a primary contact person who will approve requests for new administrators. Notwithstanding anything in the Customer Agreement to the contrary, any breach by You and its Authorized Users of this Section will result in the immediate suspension or termination of You and Your Authorized Users’ access to Cofense SAT.
4. You may only designate Authorized User’s email addresses with Internet domain names that You own or is authorized by the Internet domain name owner to use for the purposes contemplated herein.

ACCEPTABLE USE POLICY ADDENDUM
By using the simulation training module, you are agreeing to this Acceptable Use Policy Addendum (this “Policy”). Please read this carefully.
Capitalized terms used below but not defined in this Policy will have the meaning set forth in the Customer Agreement. You and Your Authorized Users must promptly notify Us of any actual or suspected illegal or unauthorized activity or a security breach involving the simulation training module. You and Your Authorized Users may not:

1. disseminate material that is abusive, obscene, pornographic, defamatory, harassing, grossly offensive, vulgar, threatening, or malicious;
2. disseminate materials that would constitute an infringement upon the patents, copyrights, trademarks, trade secrets or other intellectual property rights of others;
3. use the simulation training module for any illegal purpose, or in violation of any laws;
4. disseminate materials that would give rise to liability under the Computer Fraud and Abuse Act;
5. commit fraud or engage in other misleading or deceptive activities;
6. upload to, or transmit from the simulation training module any viruses, worms, defects, Trojan horses, time-bombs, malware, spyware, or any other computer code of a destructive or interruptive nature;
7. share the simulation training module and any of Our IP and Confidential Information with any third-parties, except as expressly authorized in advance by Us in writing;
8. use the simulation training module and Our IP in any way to provide services to any third-party;
9. disassemble, decompile, reverse compile, reverse engineer or attempt to discover any source code or underlying ideas or algorithms of the simulation training module and Our IP (except to the limited extent that applicable law prohibits reverse engineering restrictions solely for interoperability purposes);
10. sell, resell, distribute, sublicense or otherwise transfer, the simulation training module and Our IP, or make the functionality of the simulation training module available to any other party through any means (unless We have provided prior written consent); and
11. reproduce, alter, modify or create derivatives of Our IP (unless as expressly permitted in the Customer Agreement). Authorized Users must comply with any Intellectual Property Rights asserted in Our IP provided to You for the purposes of using with the simulation training module. Authorized Users will maintain and not remove or obscure any proprietary notices on Our IP. Remedies. Violation of this Policy may result in civil or criminal liability, and We may, in addition to any other remedy that We may have at law or in equity, terminate any permission for You and any Authorized User to access the simulation training module or immediately remove the offending material. In addition, We may investigate incidents that are contrary to this Policy. We reserve the right to update and modify this Policy at any time from time-to-time. Continued use of the simulation training module by You and Your Authorized Users after such update or modification will indicate Your acceptance of the updates and/or modifications to this Policy.

COFENSE REPORTER SUBSCRIPTION SCHEDULE 2

In addition to the terms of the Customer Agreement, the following terms apply to Cofense ReporterTM.
1. For the duration of the applicable Services Term set forth in the applicable Order and in accordance with the terms of the Customer Agreement, We grant to You a non-exclusive, non-transferable, non-assignable right to access the applicable version of Cofense Reporter, including the applicable Documentation, for Your internal use only. You acknowledge that We have no delivery obligation and will not ship copies of software as part of Cofense Reporter. You are responsible for Your Authorized Users’ compliance with the Customer Agreement and this Schedule. Authorized User-initiated Cofense Reporter reports must be sent to a mailbox owned by You or authorized mailbox. You acknowledge and agree that We may store Customer Data from Cofense Reporter in the United States.

MSSP SERVICES TERMS OF USE
Where You are ordering the Services to manage them as part of Your managed security services program for Applicable Customers (as defined below) (“MSSP Services”), You acknowledge You must be authorized by Us prior to providing the MSSP Services to Applicable Customers, and You may only use the MSSP Services as a managed security service provider to Applicable Customers pursuant to this MSSP Agreement. If You are separately ordering the Services for Your internal use, then such use will be separately governed by the Customer Agreement. Capitalized terms used but not defined in this MSSP Agreement will have the same meanings set forth in the Customer Agreement.

1. Definitions
“Applicable Customers” means those customers located in the Territory(ies) for which We have given You prior written approval for You to provide MSSP Services

“Applicable Customer Data” means the information submitted or provided by Applicable Customers for use with the Services.

“Authorized Users” means (i) Your authorized employees, agents or independent contractors with an assigned unique email address, who may access or provide the Services to the Applicable Customers; and/or (ii) employees and personnel of Applicable Customers whose email accounts are being used with the Services.

“Intellectual Property Rights” means copyrights (including, without limitation, the exclusive right to use, reproduce, modify, distribute, publicly display and publicly perform the copyrighted work), trademark rights (including, without limitation, trade names, trademarks, service marks, and trade dress), patent rights (including, without limitation, the exclusive right to make, use and sell), trade secrets, moral rights, right of publicity, authors’ rights, contract and licensing rights, goodwill and all other intellectual property rights as may exist now and/or hereafter come into existence, and all renewals and extensions thereof, of any state, country or jurisdiction.

“Order Form” means (i) a quotation, proposal, or pricing offer issued to You by Us that is signed by both Parties or to which You have confirmed acceptance in writing, (ii) a quotation, proposal, or pricing offer issued by Us to You at the time of the sign-up for an evaluation described in Section 2(d) of this MSSP Agreement, which You will be deemed to have accepted if You do not provide Us notice of cancellation prior to the end of the evaluation period, or (iii) a written purchase order or similar ordering document, signed or submitted by You and accepted by Us, under which You agree to purchase a license to the Services to provide MSSP Services under this Agreement. It is agreed that all Order Forms for the Services will incorporate the terms of this MSSP Agreement, whether expressly referenced or not, and will only be accepted subject to the terms of this MSSP Agreement. The terms and conditions of this MSSP Agreement will govern all Order Forms, and any additional or different terms in an Order Form are deemed void and of no effect unless such additional or different terms are agreed upon by the Parties in writing. For clarity, acceptance by Us of Your purchase order or similar ordering document will not be deemed an acceptance of any conflicting or additional terms and conditions.

“Territory(ies)” means the territories We authorize You to provide the MSSP Services. You may only provide the MSSP Services in those territories where We have provided our prior written authorization. Notwithstanding the foregoing, You will not provide the MSSP Services in the following Territories: North Korea, Iran, Syria, Lebanon, Cuba, Sudan, and Crimea Region of Ukraine.

2. MSSP Partner Program
1. Subject to the terms and conditions set forth herein, You may provide MSSP Services to Applicable Customers for the Services.
2. For purposes of providing MSSP Services to Applicable Customers, You will purchase the licenses in Your own name at the prices set forth in the applicable Order Form. In addition to any other information to be provided to Us by You in an Order Form, You will provide the name of the Applicable Customer (along with any other information We reasonably request).
3. You will market and promote the MSSP Services in the Territory(ies). You may also market, at Your own expense, and resell licenses to the Services to Your customers for their direct use, subject always to the customer accepting the Customer Agreement to govern their use of the Services, in the Territory(ies) only upon Our prior written approval in each instance, and You will always comply with all applicable laws and regulations reselling the Services.
4. If We provide the Services, along with any other related materials and documentation for Your Applicable Customer’s evaluation purposes, then We grant a limited, nontransferable, non-assignable, non-sublicensable right to use the Services for the Applicable Customer, subject to the terms of this MSSP Agreement and any other limitations communicated to You. You may use the Services for Your Applicable Customer’s own internal evaluation purposes from the date in which You access the Services for the Applicable Customer, until the expiration date We provide You, or, if no expiration date is provided, for a period of up to fourteen (14) days from the date of first deploying the Services for the Applicable Customer. If You do not provide Us notice to cancel the evaluation for the Applicable Customer prior to the expiration of the applicable evaluation period, Your subscription to the Services for the Applicable Customer will automatically begin upon expiration of the evaluation period, subject to and governed by this MSSP Agreement, and You will be deemed to have accepted the quotation or proposal provided at the time of the evaluation sign-up, and We will charge You at the pricing stated therein. If You cancel the evaluation for the Applicable Customer before the end of the applicable evaluation period, You will not be charged. Your eligibility for a free evaluation offer for each Applicable Customer is determined solely by Us and Your access to any free evaluation offer is provided at Our sole discretion. The Services are provided to You “AS-IS”, and to the extent permitted by applicable law, We disclaim all indemnities and warranties relating to the evaluation, express or implied, including but not limited to any warranties against infringement of third-party rights, merchantability, and fitness for a particular purpose. You acknowledge that the Services are Our intellectual property. At the end of the applicable evaluation period, all evaluation licenses granted herein will automatically terminate and You will delete or return any of Our Confidential Information in Your possession related to the evaluation and provide written certification of such destruction or return in writing to Us. You understand that We may disable access to the Services for each evaluation automatically at the end of the evaluation period, without notice to You. This Section will take precedence over any contradictory language in this MSSP Agreement as it relates to an evaluation.
5. You will pay the fees for the Services set forth in the applicable Order Form and the renewals thereof (“Fees”). All Fees will be fully billed in advance, unless otherwise agreed by the Parties in writing. Fees are exclusive of all tariffs, duties or taxes imposed or levied by any government or governmental agency, including without limitation, federal, state and local sales, use, value added or other similar taxes (collectively, “Taxes”) and You are responsible for paying all Taxes applicable to the Services. In the event We are obligated to collect and pay indirect Taxes for the Fees, You agree to pay any indirect Taxes that may be added to the payment of any outstanding Fees and will be reflected in the invoice or subsequently invoiced if the Fees were previously paid. You will reimburse Us for any and all expenses incurred by Us so long as such expenses are directly attributable to the Services provided to You. You agree to pay all Fees, in full, within thirty (30) days. If You fail to make any payment when due, then interest at a rate of one and one-half percent (1.5%) per month will accrue on such unpaid, undisputed amounts, calculated from the date the payment was originally due. Credit card payments may incur additional fees. If You dispute any invoice, You will promptly notify Us of the disputed amount, but in no event later than the date payment is due, with an explanation of the reasons therefor. In the event of non-payment or any action at law or in equity necessary to enforce or interpret the terms of this MSSP Agreement for non-payment, You agree to pay all of Our reasonable attorneys’ fees and collection costs and expenses associated with the collection of such debt, to the fullest extent permitted by applicable law.
6. For each Order Form, we will provide the Services pursuant and subject to this MSSP Agreement. The term of the Services for the Applicable Customer is specified in the applicable Order Form or, if no period of time for the Services is specified, for a period of one (1) month from the date in which access to the Services was made available to You (“Initial Services Term”). Unless otherwise stated on the Order Form, the Services will automatically renew after its Initial Services Term for additional periods equal in length to the Initial Services Term (each, a “Renewal Services Term” and together with the Initial Services Term, the “Services Term”), unless either Party notifies the other of its intention not to renew the Services at least thirty (30) days prior to the expiration of the then-current Services Term. In the event You add additional Authorized Users for the Applicable Customer during the Services Term, You will be billed for the additional Authorized Users at the pricing set forth in the applicable Order Form. For the duration of the applicable Services Term and in accordance with the terms of this MSSP Agreement, We grant You a non-exclusive, non-transferable, non-assignable right to access the Services, including the applicable Documentation and Our IP associated with the Services, solely for the provision of the MSSP Services to the Applicable Customer. You acknowledge that We have no delivery obligation and will not ship copies of software as part of the Services. For the duration of the applicable Services Term, We grant You a non-exclusive, revocable, non-transferable, non-assignable right to access the Services, including the applicable Documentation and any other of Our IP provided with respect to this MSSP Agreement, for Your provision of MSSP Services to Applicable Customers.

3. Applicable Customer Restrictions
You may only use the license purchased pursuant to the Agreement for the Services with only One Applicable Customer. For clarification, pricing will be based on the number of employees and/or email addresses with respect to an Applicable Customer, unless otherwise agreed by the Parties in writing in the applicable Order Form. You may not use one license to provide MSSP Services to multiple Applicable Customers. The license for the Services will be provided and used in accordance with the terms of the Customer Agreement, except that the prohibition of using the Services with third parties in the Customer Agreement will not be applicable to the extent You are providing the Services to Applicable Customers in compliance with this Agreement and You are not permitted to use the MSSP Services for Your internal use as part of Your order of the MSSP Services. Under no circumstances may You use a single license for multiple Applicable Customers.

4. Term and Termination
1. We may terminate this MSSP Agreement and Your license to provide MSSP Services upon ninety (30) days’ prior written notice for Our convenience.
2. We may, in our sole and absolute discretion, immediately terminate this MSSP Agreement or an individual license, or suspend Your access to the Services in connection with any actual, alleged or suspected: (i) breach of confidentiality obligations and license or use restrictions set forth in the Customer Agreement and this MSSP Agreement, (ii) direct or indirect technical or security issues or problems caused by or relating to You or an Applicable Customer, (iii) violations of applicable law. A Party may otherwise terminate this MSSP Agreement if the other Party commits a material breach, and fails to remedy such breach within thirty (30) days of being notified by the non-breaching Party of such breach. If We terminate this MSSP Agreement due to Your material breach, We will not refund any amounts to You.
3. Upon termination or expiration of this MSSP Agreement: (a) You will promptly return to Us all materials related to us in Your possession, and You will cease representing yourself as one of Our authorized MSSP partners; (b) all licenses granted hereunder will terminate; and (c) each Party will cease using, return or destroy, at the sole election of the other Party, all Confidential Information of such other Party relating to this MSSP Agreement, and You will cease using any of Our IP (as defined in the Customer Agreement).

5. Your Responsibilities
1. Prior to providing the MSSP Services to Applicable Customers, You will, upon request, successfully complete and pass the Managed Security Services Provider Program certification training for the MSSP Services. If at any time, We find that You are not providing MSSP Services up to Our standards, We may suspend this MSSP Agreement immediately and require that You attend additional training, as reasonably necessary. You must follow Our reasonable instructions regarding use of the Services and training.
2. You will complete any due diligence questionnaires We request from time to time.
3. In providing the MSSP Services, You will comply with the Acceptable Use Policy attached hereto as Exhibit A.
4. You (i) are responsible for the use of the Services and Our IP by Your personnel (including Authorized Users) and the Applicable Customer in compliance with this MSSP Agreement, including any applicable exhibits, addenda, Documentation and applicable laws and government regulations; (ii) are responsible for the accuracy, quality and legality of Applicable Customer Data, including the lawful use and transmission of Applicable Customer Data provided by Applicable Customer and any Authorized Users in connection with the Services; (iii) will obtain all rights, permissions or consents from Authorized Users and other Applicable Customer personnel that are necessary to grant Us the rights and licenses in this MSSP Agreement; and (iv) will use commercially reasonable efforts to prevent unauthorized access to or use of Our IP and Services, and will notify Us promptly of such unauthorized use.
5. You will ensure that: (i) You and the Applicable Customer are entitled to transfer the relevant personal data to You and Us so that the Parties may lawfully use, process and transfer the personal data on the Applicable Customer’s behalf and in accordance with this MSSP Agreement; and (ii) the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection laws. You may only use Authorized User’s email addresses with Internet domain names that are authorized by the Internet domain name owner to use for the purposes contemplated herein.
6. You agree that at Our request, You will furnish Us a certification signed by Your authorized representative verifying that the Services are being used in accordance with this MSSP Agreement.

6. Applicable Customers
1. We may reject Your request to provide MSSP Services to a potential Applicable Customer at any time for any reason, without incurring any liability to You and/or Applicable Customer.
2. The Parties acknowledge that You will have Your own agreements with the Applicable Customers pursuant to which You will provide MSSP Services to the Applicable Customers. You acknowledge and agree that We will not be a party to the contract between You and the Applicable Customer and, further, that We will not be liable to You or to Applicable Customer in respect of any claims made by the Applicable Customers under contract between You and the Applicable Customer.
3. Prior to providing MSSP Services for each Applicable Customer, We may request a letter of acknowledgment in place executed between Us and the Applicable Customer.

7. Intellectual Property
1. Any documentation, materials, intelligence, and any other proprietary information provided by Us, or on Our behalf, in connection with the MSSP Services are also Our IP, to which We own all Intellectual Property Rights. Notwithstanding anything in the Customer Agreement to the contrary, You will use Our IP under this MSSP Agreement solely for the purposes of providing MSSP Services to Applicable Customers. You will not modify any documentation We provide without Our prior written permission each time. We will automatically own and have title to any derivative works based on Our IP.
2. You understand, acknowledge and agree that We own all Intellectual Property Rights in and to Aggregate Data, and may use, reproduce, sell, publicize or otherwise exploit Aggregate Data in any way, in Our sole discretion. “Aggregate Data” refers to Applicable Customer Data that is de-identified (stripped of any information used to identify Applicable Customer, including personal data). Aggregate Data will include data identified through the Services as malicious and also include statistical information related to the use and performance of the Services, provided that such information is de-identified. You grant Us a worldwide, perpetual, irrevocable, royalty-free, fully paid-up license to use and exploit any suggestion, enhancement request, recommendation, correction or other feedback (“Feedback”) You provide relating to the Services. Feedback will not include Confidential Information. You will provide Us with all threat intelligence learned and collected with the use of the Services and such threat intelligence will not include Confidential Information.
3. You acknowledge and agree that the maximum number of Authorized Users will not exceed the number of Authorized Users set forth in the applicable Order Form. At the beginning of the applicable Services Term, You will designate and allocate the Authorized Users on behalf of the Applicable Customer. The Parties acknowledge and agree that Authorized Users may not be reassigned or replaced (except for those designated by You to act as administrators) prior to the expiration of the applicable Services Term. Any breach by You and Your Authorized Users of this Section may, in Our sole discretion, result in the immediate suspension or termination of You and Your Authorized Users’ access to the Services and or termination of this MSSP Agreement.
4. You may not enter into new license agreements for the Services with customers who already have direct agreements in place with Us

8. Confidentiality
1. “Confidential Information” means all non-public information, whether written, electronic, oral or graphic, that a disclosing party (“Discloser”) may disclose or reveal to the receiving party (“Recipient”), that is either (i) identified as confidential at the time of disclosure by Discloser, or (ii) disclosed under circumstances that would indicate to a reasonable person that the information should be treated as confidential by Recipient. Confidential Information includes, but is not limited to, technical or business information, pricing, financial plans and records, marketing plans, research, present and proposed products, trade secrets, know how, processes, intelligence, computer software programs, software tools and descriptions of functions and features of software, source code, information regarding customers and suppliers, employees and affiliates, and methods for systems integration, company systems or software.
2. Recipient will maintain all Confidential Information of the Discloser in strict confidence. Except as provided in this MSSP Agreement, the Recipient will not use Confidential Information of the Discloser, except to perform or otherwise fulfill the purpose of this MSSP Agreement or disclose it in any manner to any third party without the prior express written consent of the Discloser. Recipient will restrict access to, and use of, Confidential Information of the Discloser to those employees and agents of Recipient’s organization with a need to use the information to perform under or otherwise fulfill the purpose of this MSSP Agreement. Recipient will use the same degree of care in handling and safeguarding Confidential Information that it uses in handling and safeguarding its own Confidential Information, and in any case not less than reasonable care. Before disclosing any Confidential Information to its officers or employees, Recipient will subject such officers and employees to an obligation of confidentiality no less stringent than that by which Recipient is bound.
3. The obligations set forth in the subsection above will not apply to information which is: (i) already known to or otherwise in the possession of the Recipient at the time of disclosure and which was not so known or received in violation of any confidentiality obligation; (ii) publicly available or otherwise in the public domain prior to disclosure by the Recipient; (iii) rightfully obtained by the Recipient from any third party without restriction and without breach of any confidentiality obligation by such third party; or (iv) developed by the
Recipient without reference to the Discloser’s Confidential Information and independent of any disclosure hereunder, as evidenced by written records.
4. Each Party may disclose Confidential Information to the limited extent necessary to comply with the order of a court or administrative body of competent jurisdiction or a government agency, provided that the Recipient will notify the Discloser prior to such disclosure, if permissible, and will cooperate with the Discloser if the Discloser elects to legally contest, request confidential treatment of, or otherwise avoid such disclosure.

9. Warranty and Indemnification
1. You represent and warrant that You will not (i) make or publish any false or misleading representations, warranties, or guarantees on Our behalf or Our suppliers, or (ii) make any representations warranties, or guarantees with respect to Us, the Services or any of Our obligations that are inconsistent with the terms of this MSSP Agreement.
2. You agree to indemnify, defend and hold Us, and Our affiliates, directors and officers, employees and agents harmless from any and all claims and/or demands, including reasonable attorneys’ fees, made by any third party arising out of or related to Your and/or Authorized Users’ alleged or actual use or misuse of the Services and Our IP, including without limitation: (a) claims related to the unauthorized disclosure or exposure of personal data or other private information, violations of any third party rights, and failure to obtain required consents for Us to provide the Services under this MSSP Agreement; (b) claims that You are infringing on any third party intellectual property or data privacy right; (c) a breach of the Acceptable Use Policy; or (d) claims arising from Your use of the Services in violation of the Customer Agreement or this MSSP Agreement. Further, You will indemnify Us, Our employees, officers, directors, affiliates, independent contractors, and agents against any claim made by an Applicable Customer against Us arising in connection with the MSSP Services or the contract between the You and the Applicable Customer.

10. Limitation of Liability
TO THE FULLEST EXTENT ALLOWED BY APPLICABLE LAW, UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, TORT, CONTRACT, STRICT LIABILITY, OR OTHERWISE) SHALL WE (OR OUR LICENSORS OR SUPPLIERS) BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR (A) SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES OF ANY KIND, INCLUDING BUT NOT LIMITED TO ANY LOST PROFITS
LOST SAVINGS, LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION, HOWEVER CAUSED, WHETHER FOR BREACH OR REPUDIATION OF CONTRACT, TORT, BREACH OF WARRANTY, NEGLIGENCE, OR OTHERWISE, WHETHER OR NOT WE WERE ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES OR (B) ANY AMOUNT, IN THE AGGREGATE, IN EXCESS OF THE GREATER OF (I) $100 OR (II) THE AMOUNTS PAID BY YOU TO US FOR THE SERVICES DURING THE TWELVE (12) MONTHS PRIOR TO THE FIRST EVENT GIVING RISE TO SUCH LIABILITY.
THE LIMITATIONS AND EXCLUSIONS CONTAINED HEREIN WILL APPLY ONLY TO THE MAXIMUM EXTENT PERMISSIBLE UNDER APPLICABLE LAW, AND NOTHING HEREIN PURPORTS TO LIMIT EITHER PARTY’S LIABILITY IN A MANNER THAT WOULD BE UNENFORCEABLE OR VOID AS AGAINST PUBLIC POLICY IN THE APPLICABLE JURISDICTION.

11. Data Privacy and Compliance
1. You will (i) comply with all applicable legal requirements regarding privacy and data protection; and (ii) provide sufficient notice to, and obtain sufficient consent andauthorization from, Applicable Customers and any other party providing personal data to You and Us to permit the processing of the data by You, Us, and either Party’s respective affiliates, subsidiaries, and service providers as contemplated by this MSSP Agreement.
2. You will comply with all applicable export controls, trade sanctions, and import laws and regulations in Your use of the Services, including without limitation the regulations of the U.S. Commerce Department’s Bureau of Industry and Security (“BIS”) and the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) (collectively, “Export Control Laws”). You will not, directly or indirectly, export or re-export, or knowingly permit the export or re-export of any of the Services, without any required government authorization, to any person, or entity (i) located or resident in any country or territory that is subject to comprehensive U.S. trade sanctions or other significant trade restrictions (including without limitation, Cuba, Iran, North Korea, Sudan, Syria, and the Crimea region of Ukraine) (“Sanctioned Countries”); or (ii) identified on any U.S. government restricted party lists (including the Specially Designated Nationals and Blocked Persons List, Foreign Sanctions Evaders List, and Sectoral Sanctions Identifications List, administered by OFAC, and the Denied Party List, Entity List and Unverified List, administered by BIS) (“Restricted Party Lists”). You represent and warrant that You are not (i) a citizen of, or located in, a Sanctioned Country, or (ii) identified on, or more than 50 percent (50%) owned or controlled by one or more persons or entities identified on, a Restricted Party List.
3. Each Party acknowledges that it is familiar with and understands the provisions of the U.S. Foreign Corrupt Practices Act of 1977, as amended (the “FCPA”) and the U.K. Bribery Act of 2010 (“UKBA”) and agrees not to violate or knowingly let anyone violate the FCPA, UKBA, or any other applicable anti-corruption laws. You agree that no payment You make will constitute a bribe, influence payment, kickback, rebate, or other payment that violates the FCPA, the UKBA, or any other applicable anti-corruption or anti-bribery laws.
4. You will perform Your obligations hereunder in compliance with Our applicable rules, policies and regulations (“Policies”), now in effect or hereafter amended or established by Us from time to time. You will require Your employees, agents or consultants performing services directly in connection with this MSSP Agreement to comply with such Policies and will be responsible for any violation of such Policies by Your employees, agents or consultants.
5. You will comply with all applicable laws and regulations with respect to Your use of the Services. You will obtain all licenses and approvals required under and will otherwise comply with all laws of the Territory(ies) governing the importation, management, marketing or distribution of the Services into and throughout the Territory(ies) and will pay (and reimburse Us if it is required to pay) all related governmental charges and related expenses.

You will (i) comply with all applicable legal requirements regarding privacy and data protection; and (ii) provide sufficient notice to, and obtain sufficient consent and
authorization from Applicable Customers and any other party providing personal data to You and Us to permit the processing of the data by You, Us, and each Party’s respective affiliates, subsidiaries, and service providers as contemplated by this MSSP Agreement. You understand that We may be required to disclose certain information received in connection with this this MSSP Agreement (including, for example, the names of Applicable Customers and details of security incidents observed) to government authorities as required by applicable laws. You will ensure that each Applicable Customers understands and agrees to comply with this provision.

12. Insurance
You will maintain commercial property, casualty, errors and omissions, and liability insurance in amounts customary for businesses operating in Your industry and for the provision of the Services. All liability and errors and omissions insurance will designate Us as an additional insured. All such insurance must be primary and require the issuer to respond and pay prior to any other available coverage. You agree that You and anyone claiming by, through, under, or on Your behalf will have no claim, right of action, or right of subrogation against Us based on any loss or liability insured against under the foregoing insurance. You will provide Us with certificates or adequate proof of the foregoing insurance within thirty (30) days of request and thereafter promptly each year after renewal. Such insurance policies or endorsements will entitle Us to receive notice at least thirty (30) days prior to any cancellation (including for nonrenewal) or change.

13. Audits
You will provide Us reports (within 15 days of requests) and such reports will provide the following information: (i) details about the Applicable Customers, including Applicable Customer name and address; (ii) the number of licenses and Authorized Users being used in connection with the Services for each Applicable Customer; and (iii) any other information We request. We will have the right to audit Your MSSP Services activities (including Your use of the Services and information provided in any reports) to ensure compliance with this MSSP Agreement and You will provide Us with access and information as We may request in connection with such audits.

14. Miscellaneous Provisions
1. Nothing in this MSSP Agreement will be construed as limiting Our appointment of other managed security service providers, dealers, licensees or agents in any way, or limiting Our other marketing or distribution activities in any way or granting similar rights as those set out herein to any other party in any way.
2. In making and performing this MSSP Agreement, the Parties have acted, and will act, always, as independent contractors, and, except as expressly set forth in this MSSP Agreement or any exhibits, nothing contained in this MSSP Agreement or any exhibits will be construed or implied to create an agency, partnership or employer and employee relationship between them. Except as expressly set forth in this MSSP Agreement, at no time will either Party make commitments or incur any charges or expenses for, or in the name of, or act as agent of the other Party.
3. You will not assign Your rights (by operation of law or otherwise) or delegate Your obligations under this MSSP Agreement without Our prior written consent, and, absent such consent, such assignment or delegation by You will be null, void and of no effect. This Agreement will be binding upon and inure to the benefit of each Party and their successors and permitted assigns.
4. This Agreement and the rights and obligations of the Parties hereunder and thereunder, will be construed in accordance with, and will be governed by, the laws of the Commonwealth of Virginia, without giving effect to its conflict of laws principles. The United Nations Convention on Contracts for the International Sale of Goods does not apply to this MSSP Agreement.
5. This Agreement may not be amended or modified except in a writing duly executed by authorized representatives of both Parties. If any term or provision of this MSSP Agreement is determined by a court of competent jurisdiction to be illegal, invalid, or unenforceable, the legality, validity, or enforceability of the remainder of this MSSP Agreement will not thereby be affected, and this MSSP Agreement will be deemed amended to the extent necessary to delete such provision. The waiver by either Party of a breach of any provision of this MSSP Agreement will not operate or be construed as a waiver of the same or any other breach by that Party, whether prior or subsequent. Any waiver under this MSSP Agreement must be in writing and signed by an authorized representative of the waiving Party. In the event of a contractual dispute arising out of or relating to payment obligations of a Party, the Party prevailing in such dispute will be entitled to collect from the other Party all costs of collection in such dispute, including reasonable attorneys’ fees.
6. Except with respect to payment obligations, if a Party is prevented or delayed in performance of its obligations under this MSSP Agreement as a result of circumstances beyond such Party’s reasonable control, including, without limitation, war, terrorist act, riot, fires, floods, epidemics, or failure of public utilities or public transportation systems, such failure or delay will not be deemed to constitute a material breach of this MSSP Agreement, but such obligation will remain in full force and effect and will be performed or satisfied as soon as reasonably practicable after the termination of the relevant circumstances causing such failure or delay. The terms set out in the Customer Agreement incorporated herein along with the terms set out in the MSSP Agreement will be considered as one agreement, to be read together and constituting the applicable terms in respect of Your usage of the Services for providing MSSP Services to Your Applicable Customers and supersedes all prior agreements, representations, negotiations, or other understandings of the Parties with respect to such subject matter, whether written or oral. In the event of any conflict between this MSSP Agreement and any Order Form, the terms of this MSSP Agreement will govern and control.
7. With respect to U.S. government Applicable Customers, Our IP, including the Services, are “commercial items”, “commercial computer software” and “commercial computer software documentation,” pursuant to DFARS Section 227.7202 and FAR Sections 12.211-12.212, as applicable. All Our IP, including the Services are and were developed solely at private expense and the use of Our IP, including the Services, by the United States Government are governed solely by this MSSP Agreement and are prohibited except to the extent expressly permitted by this MSSP Agreement.
8. The provisions of Section 7, Section 8, and Sections 10 through 14, as well as any obligations to pay any amounts due and outstanding hereunder, will survive termination of this MSSP Agreement.

• EXHIBIT A

ACCEPTABLE USE POLICY
When providing MSSP Services to Applicable Customers, You will comply with this Acceptable Use Policy (this “AUP”). You and Your Authorized Users must promptly notify Us of any actual or suspected illegal or unauthorized activity or a security breach involving the Services. You are responsible for Your Authorized Users’ compliance with the MSSP Agreement and this AUP.

You and Your Authorized Users may not:

1. transmit unlawful materials, e-mail or information;
2. transmit harassing, threatening or abusive materials, e-mail or information;
3. transmit defamatory, libelous, slanderous or scandalous materials, e-mail or information;
4. transmit obscene, pornographic, profane or otherwise objectionable information of any kind;
5. transmit materials, e-mail or information that would constitute an infringement upon the patents,
copyrights, trademarks, trade secrets or other intellectual property rights of others;
6. transmit materials constituting or encouraging conduct that would constitute a criminal offence, give rise to civil liability, or otherwise violate any local, state, national or international law, including without limitation, the U.S. export control laws and regulations;
7. transmit materials that would give rise to liability under the Computer Fraud and Abuse Act;
8. use the Services to commit fraud or engage in other misleading or deceptive activities;
9. upload to, or transmit from the Services any viruses, worms, defects, Trojan horses, time-bombs, malware, spyware, or any other computer code of a destructive or interruptive nature other than any of the foregoing contained in the emails or links provided by the Applicable Customer to You
for the purpose of analyzing the emails and links for malicious content as part of the Services;
10. share the Services and any of Our IP and Our Confidential Information with any third-parties, except as permitted by this MSSP Agreement or expressly authorized in advance by Us in writing;
11. use the Services and Our IP in any way to provide services to any third-party except to the Applicable Customer in accordance with this MSSP Agreement;
12. disassemble, decompile, reverse compile, reverse engineer or attempt to discover any source code or underlying ideas or algorithms of the Services and any of Our IP (except to the limited extent that applicable law prohibits reverse engineering restrictions solely for interoperability purposes);
13. sell, resell, distribute, sublicense or otherwise transfer, the Services and any of Our IP, or make the functionality of the Services available to any other party through any means (unless We have provided prior written consent); and
14. reproduce, alter, modify or create derivatives of Our IP (unless as expressly permitted in the MSSP Agreement).

Authorized Users must comply with any of Our Intellectual Property Rights asserted in Our IP provided to You for the purposes of using with the Services. Authorized Users will maintain and not remove or obscure any proprietary notices on Our IP.
Remedies. Violation of this AUP may result in civil or criminal liability, and We may, in addition to any other remedy that We may have at law or in equity, terminate any permission for You and any Authorized User to access the Services or immediately remove the offending material. In addition, We may investigate incidents that are contrary to this AUP.
We reserve the right to update and modify this AUP at any time from time-to-time. Your continued use of the Services and Your Authorized Users after such update or modification will indicate Your acceptance of the updates and/or modifications to this AUP.

UNITED STATES GOVERNMENT
EXHIBIT L

In addition to the terms of the Agreement, the terms set forth in this Exhibit will apply if Customer is an agency, department, court, or instrumentality of the United States Federal Government.

To the extent the terms and conditions in the Agreement are inconsistent with Federal Law (e.g., the Antideficiency Act (31 U.S.C. § 1341(a)(1)(B)), the Contracts Disputes Act of 1978 (41 U.S.C. §§ 7101-7109), the Prompt Payment Act (31 U.S.C. §§ 3901 et seq.), the Anti-Assignment statues (31 U.S.C. § 3727 and 41 U.S.C. §6305), 28 U.S.C. § 516 (Conduct of litigation reserved to Department of Justice), and 28 U.S.C. § 1498 (unauthorized use of a patented invention by or for the United States, or copyright infringement by the United States)) such terms and conditions will be subject to the following:

  1. Order of Precedence. If there is any conflict between the terms and conditions of the Agreement and this Exhibit, this Exhibit will govern and control.
  2. No Automatic Renewal; Termination. Any provisions in the Agreement providing for automatic renewal are hereby deleted. Any provisions in the Agreement referencing Termination will be subject to FAR 52.212-4 and Customer’s authorization and consent rights under 28 USC 1498(a).
  3. Fees; Taxes. Customer will not pay any future costs or fees under an applicable Order. All taxes are subject to FAR 52.212-4(k).
  4. Customer Indemnification Obligations. Any provisions in the Agreement referencing Customer Indemnification obligations are hereby deleted, to the extent inconsistent with Federal Law.
  5. Cofense Indemnification Obligations. Any provisions in the Agreement that (1) violate DOJ’s right to represent Customer in any case (28 U.S.C. 516) and or (2) require that Customer give sole control over the litigation and or settlement, are hereby deleted. Any injunctive relief regarding a claim for intellectual property infringement is deleted, to the extent inconsistent with 28 USC 1498(b).
  6. Limitation of Liability. Any provisions in the Agreement referencing Limitation of Liability are deleted and replaced with FAR 52.246-25.
  7. Dispute Resolution and Venue. Any provisions in the Agreement requiring Customer to follow a specific procedure to raise claims or to resolve disputes are hereby deleted.  Any provisions in the Agreement selecting a particular judicial forum or form of alternative dispute resolution for resolving claims relating to the Agreement are hereby deleted.  Any disputes relating to the Agreement will be resolved in accordance with FAR 233-1 and the Contract Disputes Act of 1978 (41 U.S.C. §§ 7101-7109).
  8. Assignment; Novation. Any provisions referencing Assignment are deleted in their entirety, and assignment and novation will be subject to FAR 52.232-23 and FAR 42.12.
  9. Intellectual Property. The Cofense IP, Software and Services are “commercial items”, “commercial computer software” and “commercial computer software documentation,” pursuant to DFARS Section 227.7202 and FAR Sections 12.211-12.212, as applicable. All Cofense IP, Software, and Services are and were developed solely at private expense and the use of Cofense IP, Software and Services by the United States Government are governed solely by the Agreement and are prohibited except to the extent expressly permitted by the Agreement.
  10. Governing Law. The Agreement will be governed by the laws of the United States. Any provisions in the Agreement stating that the Agreement will only be governed by the law of any particular U.S. State or U.S. Territory or district, or foreign nation, is hereby deleted. In the event the Uniform Computer Information Transactions Act (UCITA) or any similar federal laws or regulations are enacted, to the extent allowed by law, it will not apply to the Agreement, and the governing law will remain as if such law or regulation had not been enacted.
  11. Unilateral Modification. Any provisions in the Agreement allowing for Cofense’s unilateral modification are deleted in their entirety.
  12. Confidential Information. The written terms and conditions set forth in the Agreement, including this Exhibit, will not be considered confidential information. All other confidentiality obligations set forth in the Agreement will apply. For clarification, all Cofense Confidential Information, including specific line-item pricing, is provided solely by Cofense, and is not generated by Customer.