Privacy Policy for Customers & End Users

PhishingBox, LLC

Terms of Service

1. ACCEPTANCE OF TERMS

__________________________________________________

These Terms of Service, including all exhibits and incorporations herein, set forth an agreement (the "Agreement") between you (“you,” “your,” or “Customer”) and PhishingBox, LLC, a Kentucky Limited Liability Company, including our product partners (collectively, “PhishingBox,” “we,” “our,” or “us”), for access to PhishingBox's Services (as defined below). Upon signing an Order (as defined below) incorporating these terms, creating an account, or otherwise using PhishingBox’s Services, you and we shall have shown our agreement with the terms, which is required prior to, and as a condition of, use of the Service.

2. DEFINITIONS

__________________________________________________

"Affiliate" means any entity which directly or indirectly controls, is controlled by, or is under common control with a party to this Agreement. For purposes of this definition, control means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Confidential Information” means all confidential information disclosed by a party ("Disclosing Party") to the other party ("Receiving Party"), whether orally or in writing, that is designated as or should reasonably be understood to be confidential. Confidential Information includes all information concerning: the Disclosing Party's customers and potential customers, past, present or proposed products, marketing plans, engineering and other designs, technical data, business plans, business opportunities, finances, research, and development. Confidential Information doesn't include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party. Subject to the foregoing exclusions, Customer Data will be considered Confidential Information under this Agreement regardless of whether or not it is designated as confidential.

"Consulting Services" means the professional services, including Managed Services, provided to you by us, which may include training services, installation, integration or other consulting services.

"Customer Data" means all information that you submit or collect via the Service. Customer Data does not include PhishingBox Content.

"Customer Materials" means all materials that you provide or post, upload, input or submit for public display through the Service.

"Excluded" means the following: (i) unavailability caused by circumstances beyond our reasonable control, including, without limitation, act of God, acts of government, emergencies, natural disasters, flood, fire, civil unrest, acts of terror, strikes or other labor problems (other than those involving our employees), or any other force majeure event or factors; (ii) any problems resulting from Customer's combining or merging the Service with any hardware or software not supplied by us or not identified by us in writing as compatible with the Service; (iii) interruptions or delays in providing the Service resulting from telecommunications or internet service provider failures outside of our datacenter as measured by our third party website availability monitoring provider; (iv) any interruption or unavailability resulting from the misuse, improper use, alteration, or damage of the Service; and (v) any scheduled maintenance.

"Fee" means the amount you pay for the Service.

“Free Services” means the Service or other products or features made available by us to you on an unpaid trial or free basis.

“Managed Services” means any ongoing management of phishing campaigns and/or training campaigns being run or managed by PhishingBox on your behalf.

"Order" means the PhishingBox-approved form or online subscription process by which you agree to subscribe to the Service.

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable data protection laws.

"PhishingBox Content" means all information, data, text, messages, software, sound, music, video, photographs, graphics, images, and tags that we incorporate into the Service or Consulting Services.

“Professional Services” means, collectively, the Consulting Services and other professional services which you have ordered. Professional Services include any deliverables described in your Order and delivered by PhishingBox to you under the Order. The term “Professional Services” does not include your primary PhishingBox license.

“SCCs” means the Standard Contractual Clauses for processors as approved by the European Commission or Swiss Federal Data Protection Authority (as applicable).

"Service" means all of our Microsoft-based and web-based applications, tools and platforms that you have subscribed to under an Order or that we otherwise make available to you, and are developed, operated, and maintained by us, accessible via phishingbox.com, portal.phishingbox.com, school.phishingbox.com, auditfindings.com, securitytips.com, or another designated URL, and any ancillary products that we provide to you, including without limitation such products identified as “a PhishingBox product” or “made by PhishingBox” in the associated branding and the KillPhish^TM plugin accessible via Microsoft 365.

"Service Uptime" means (total hours in calendar month - Downtime - Excluded) / (total hours in calendar month - Excluded) X 100%.

“Solutions Provider” refers to any account that either performs services for customers using our Service or resells our Services to others.

"Subscription Term" means the initial term of your subscription to the Service, as specified on an Order, and each subsequent renewal term (if any). For Free Services, the Subscription Term will be the period during which you have an account to access the Free Services.

“Target” is an individual who is tested via the Service, such as through an email address, or whose Target Information is otherwise stored by you in the Service or on your behalf through Professional Services.

"Target Information" means the name, email address, title, department, phone number, and similar information uploaded by you to the Service.

"Third-Party Products" means products that are provided by third parties which interoperate with or are used in connection with the Service. These products include non-PhishingBox applications available from our marketplaces, directories, and links made available through the Service.

"Users" means employees, representatives, consultants, contractors or agents who are authorized by or on behalf of you to use the Service.

3. USE OF SERVICES

__________________________________________________

3.1 Access. During the Subscription Term, we will provide your Users access to use the Service as described in this Agreement and the applicable Order. You may provide access and use of the Service to your Affiliate’s Users; provided that, all such access and use by your Affiliate’s Users is subject to and in compliance with the Agreement, and you will at all times remain liable for your Affiliate’s compliance with the Agreement.

3.2 Additional Features. You may subscribe to additional features of the Service by placing an additional Order. Certain co-branded products and features may be accessible for activation from within your account (if this option is made available by us.). This Agreement will apply to all additional Order(s) and all additional features that you activate from within your account.

3.3 Modifications. We reserve the right to modify the Service from time to time, including by adding or deleting features and functions.

3.4 Free Trial Services. If you register for a free trial, we will make the applicable Free Services available to you on a trial basis free of charge until the earlier of (i) the end of the free trial period (if not terminated earlier) or (ii) the start date of your paid subscription. Unless you purchase a subscription to the applicable Service before the end of the free trial, all of your data in the Free Services may be permanently deleted at the end of the trial, and we will not recover it. If we include additional terms and conditions on the trial registration web page, those will apply as well. Any trial access to the Free Services is provided “as is” and without warranty of any kind, and we may suspend, limit, or terminate the Free Services for any reason at any time without notice and for any reason, and we will not be liable to you for damages of any kind related to your use of the Free Services during the free trial period.

3.5 Service Uptime Commitment. We will use commercially reasonable efforts to meet a Service Uptime of 99.95% for our Service in a given calendar month. All availability calculations will be based on our system records. Notwithstanding anything to the contrary in this Agreement, as Customer's sole and exclusive remedy for our failure to meet availability or support commitments, in the event there are two (2) or more consecutive calendar months during which the Service Uptime falls below 99.95% in a given calendar month, Customer will be entitled to receive a credit equal to the pro-rated amount of fees applicable to the Downtime as measured within two (2) or more consecutive calendar months during which the Service Uptime fell below 99.95%, which credit shall be applied against an invoice or charge for the following renewal Subscription Term, provided Customer requests such credit within twenty (20) days of the end of the relevant calendar month. Notwithstanding anything to the contrary in the Agreement or this section, this Section 3.5 does not apply to our Free Services.

3.6 Limits/Acceptable Use. You will not misuse the Service or use the Service to violate any applicable law, nor will you help anyone else to do so. This Service is not intended for people under 18 years of age. If you are not of legal age to use the system within your jurisdiction, do not use the system or include information of any such persons within your account. By continuing to use the Service, you represent and warrant that you are eligible to do so and that you will comply with these terms. Unless otherwise expressly permitted in writing, you will not:

3.6.1 General – the following limits apply to all products and the Service.

(i) You will report any compromised account to PhishingBox.

(ii) You will not share authentication credentials with others.

(iii) You will not manipulate the system to bypass account restrictions, such as the number of emails, users, or courses listed in your Order.

(iv) You will not send unsolicited communications, promotions, advertisements, or spam.

(v) You will not sell the Service unless specifically authorized to do so.

(vi) You will not violate or encourage the violation of the law in any way, including storing, publishing or sharing material that is fraudulent, defamatory, infringing, or misleading.

(vii) You will not violate the privacy or infringe the rights of others.

(viii) You will not remove, alter, cover, or distort any copyright, trademark, or other proprietary rights notice we include in or throughout our Services.

(ix) You will not circumvent, disable, or otherwise interfere with our security-related features including, without limitation, any features that prevent or restrict the use of or copying of any aspect of our Services.

(x) You will not use an automatic device (such as a robot or spider) or manual process to copy or “scrape” the Services for any purpose.

(xi) You will not collect or harvest any Personal Data or non-personal data from our Services including, without limitation, usernames, passwords, email addresses.

(xii) You will not solicit other users to join or become members of any commercial online service or other organization without our prior written approval.

(xiii) You will not interfere or attempt to do so with the proper working of our Services or impair, overburden, or disable the same.

(xiv) You will not decompile, reverse engineer, or disassemble any portion of our Services.

(xv) You will not use network-monitoring software to determine architecture of or extract usage data from our Services.

(xvi) You will not engage in any conduct that restricts or inhibits any other user from using or enjoying our Services.

3.6.2 Phishing Simulator – the following limits apply only to the specific features of the Phishing Simulator:

(i) You will not test any entity for you which you do not have authority to test.

(ii) You will not include any sensitive or non-public information within emails or landing pages.

(iii) You agree that we may stop any phishing campaigns or tests should there be complaints of use from other organizations.

3.6.3 PhishingBox’s Application Programming Interface (API) – the following limits apply only to the specific features of the API:

(i) You will not disclose or provide the PhishingBox APIs or access credentials to any person or entity other than to your employees or independent contractors, provided (a) such employees or independent contractors enter into an agreement with you at least as protective of as this Agreement; and (b) you hereby agree to be responsible for any breaches of such agreements by such employees or independent contractors.

(ii) You will not use the PhishingBox API (a) for any illegal purposes; (b) in any manner which would violate this Agreement; (c) to breach any laws or regulations regarding privacy or data protection; (d) to violate the rights of third parties; or (e) expose PhishingBox to any legal liability.

(iii) You will not use any PhishingBox API in any manner that, as determined by PhishingBox in its reasonable discretion, constitutes abusive usage.

(iv) You will not (a) interfere with, or disrupt, the Service and related servers or networks; (b) disobey any requirements, procedures, policies or regulations of networks connected to the Service; or (c) transmit any viruses, worms, defects, Trojan horses, or any items of a destructive nature through your use of the PhishingBox API.

(v) You will not engage in any activity that interferes with, disrupts, harms, damages, or accesses in an unauthorized manner PhishingBox’s servers, security, networks, data, applications, or the Service.

(vi) You will not circumvent any technological measures intended to prevent direct database access.

(vii) You will not bypass PhishingBox API restrictions for any reason, including automating administrative functions of the Service.

3.7 Customer Support. If you pay us a Fee for our Services, the following support is included at no additional cost.

3.7.1 Phone Support. Phone support is available daily from 8:00AM to 8:00PM ET (Eastern Time) Monday through Friday, excluding U.S. federal holidays (“Phone Support Hours”).

3.7.2 Email and In-app Support. Email and in-app responses are provided during Phone Support Hours only. We attempt to respond to email and in-app support questions within one (1) business day. We do not promise or guarantee any specific response time. We may limit or deny your access to support if we determine, in our reasonable discretion, that you are acting, or have acted, in a way that results or has resulted in misuse of support or abuse of PhishingBox representatives.

3.7.3 Support Limitations. Issues resulting from your use of APIs, including third-party APIs, may be outside the scope of support. Should we determine support is needed outside of our standard support, we will notify you about your options, which may include support options for an additional charge.

4. FEES

__________________________________________________

4.1 Subscription Fees. The Fee will remain fixed during the initial term of your subscription unless (i) you exceed your Targets allocation, (ii) you upgrade products or base packages, (iii) you subscribe to additional features or products, including additional Targets, or (iv) otherwise as agreed to in your Order.

4.2. Billing Disputes. You must notify PhishingBox in writing of any disputed charges within thirty (30) days of receiving an invoice. PhishingBox will attempt to resolve all disputes within thirty (30) days of being notified of a dispute. To the extent PhishingBox determines, at its sole discretion, that a billing adjustment is warranted, your account will be credited accordingly. If you fail to notify PhishingBox of a billing dispute as noted above, you waive all rights to bring any claim regarding the disputed charges.

4.3 Downgrades. You may downgrade your products and/or base packages upon no less than ninety (90) days written notice prior to the next renewal anniversary of an applicable Order.

4.4 Fee Adjustments at Renewal. Upon renewal, we may increase your Fees up to our then-current list price set for the Service, not to exceed 10% annual uplift cap. If you do not agree to this increase, either party can choose to terminate your subscription at the end of your then-current term by giving the notice required in Section 5.2 (Notice of Non-Renewal). We will provide notice of any such increase no less than ninety (90) days prior to the renewal anniversary of an applicable Order.

4.5 Payment by Credit Card. If you are paying by credit card, you authorize us to charge your credit card or bank account for all Fees payable during the Subscription Term. You further authorize us to use a third party to process payments, and consent to the disclosure of your payment information to such third party.

4.6 Payment Against Invoice. All amounts invoiced are due and payable within thirty (30) days from the date of receiving the invoice, unless otherwise specified in the Order.

4.7 Payment Information. You or your authorized representative, including but not limited to Solutions Providers, will make commercially reasonable efforts to keep your contact information and billing information up to date. All payment obligations are non-cancelable, and all amounts paid are non-refundable, except as specifically provided for in this Agreement. All Fees are due and payable in advance throughout the Subscription Term. Any representative authorized by Customer, including but not limited to Solutions Providers, who agrees to be bound by the terms of this Agreement and purchases the Service on behalf of a Customer, agrees to be responsible for the Order and to guarantee payment of all Fees.

4.8 Sales Tax. All Fees are exclusive of taxes, which we will charge as applicable. You agree to pay any taxes applicable to your use of the Service and performance of Professional Services. You shall have no liability for any taxes based upon our gross revenues or net income. If you are located outside the United States, all Fees are exclusive of any VAT and you represent that you are registered for VAT purposes in your member state. At our request, you will provide us with the VAT registration number under which you are registered in your member state. If you do not provide us with a VAT registration number prior to your transaction being processed, we will not issue refunds or credits for any VAT that was charged. If you are subject to GST, all Fees are exclusive of GST.

5. TERM AND TERMINATION

__________________________________________________

5.1 Term and Renewal. Your initial subscription period will be specified in your Order, and, unless otherwise specified in your Order, your subscription will automatically renew for a period of one (1) year.

5.2 Notice of Non-Renewal. Each party agrees to give the other no less than ninety (90) days written notice in advance of the then current expiration date if it does not wish to renew an Order.

5.3 Termination for Convenience. You may choose to cancel your subscription early at your convenience provided that, we will not provide any refunds of prepaid fees or unused Subscription Fees, and you will promptly pay all unpaid fees due through the end of the Subscription Term. See Section 5.2 (Notice of Non-Renewal) for information on how to cancel your subscription.

5.4 Termination for Cause. Either party may terminate this Agreement for cause, as to any or all Services: (i) upon written notice to the other party of a material breach if such breach remains uncured after thirty (30) days; or (ii) immediately, if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, cessation of business, liquidation or assignment for the benefit of creditors.

We may also terminate this Agreement for cause on thirty (30) days’ notice if we determine that you are acting, or have acted, in a way that has or may negatively reflect on or affect us, our prospects, or our customers.

5.5 Suspension

5.5.1 Suspension for Prohibited Acts. We may suspend any User’s access to any or all Services without notice for use of the Service in a way that violates applicable local, state, federal, or foreign laws or regulations or the terms of this Agreement. We agree to notify you if this action becomes necessary.

5.5.2 Suspension for Non-Payment. We will provide you with notice of non-payment of any amount due. Unless the full amount has been paid or is under dispute pursuant to Section 4.2, we may suspend your access to any or all of the Services ten (10) days after such notice. We will not suspend the Service if you are reasonably and in good faith disputing any charge(s) and are actively cooperating to resolve the dispute. If a Service is suspended for non-payment, we may charge a re-activation fee to reinstate the Service.

5.5.3 Suspension for Present Harm. We may, upon notice to you, suspend all or any of your access to the Service if you cause:

(i) any denial-of-service attacks or other disruptive activity against us or through the Service against others;

(ii) any security vulnerability for the Service;

(iii) excessive bandwidth to be consumed, as determined by us; or

(iv) any other harm to us or any user of the Service.

We will try to limit suspension of the Service to the affected portion of the Service and promptly resolve the issues causing its suspension. Nothing in this clause limits our right to terminate for cause as outlined above, if we determine that you are acting, or have acted, in a way that has or may negatively reflect on or affect us, our prospects, or our customers.

5.6 Effect of Termination or Expiration. Upon termination or expiration of this Agreement, you will stop all use of the Service. If you terminate this Agreement for cause, we will promptly provide you a pro rata refund for any prepaid but unused Fees covering the remaining Subscription Term after termination. If we terminate this Agreement for cause, you will promptly pay all unpaid Fees due through the end of the Subscription Term. Fees are otherwise non-refundable.

6. CUSTOMER DATA

__________________________________________________

6.1 Customer’s Proprietary Rights. You own and retain all rights to the Customer Materials and Customer Data. This Agreement does not grant us any ownership rights to Customer Materials and Customer Data. You hereby grant us and our licensors a worldwide, perpetual, non-exclusive, royalty-free right to use the Customer Materials and Customer Data only as necessary to provide the Service and Professional Services to you and as otherwise permitted by this Agreement. If you are using the Service or receiving Professional Services on behalf of another party, then you represent and warrant that you have all sufficient and necessary rights and permissions to do so. You further represent and warrant that you (i) will comply with all applicable laws and will ensure your Customer Materials and Customer Data so comply; (ii) will not submit any Customer Materials or Customer Data which infringe or misappropriate any third-party intellectual property rights, including without limitation any trade secret rights; and (iii) will not submit any Customer Materials or Customer Data which contains any personal information except to the extent otherwise requested by us. We will not request, and you agree that under no circumstances will you submit, any sensitive personal information to our Service.

6.2 Limits on PhishingBox. We will not use, or allow anyone else to use, Customer Data to contact any individual (including without limitation the delivery of emails, training, or landing pages) or company except as you direct or otherwise permit. We will use Customer Data only in order to provide the Service and Consulting Services to you and only as permitted by applicable law and this Agreement.

6.3 Data Privacy and Processing. Our data privacy practices are outlined in our Privacy Policy, available at phishingbox.com/privacy-policy and are incorporated herein by reference. Our data processing practices are outlined in our Data Processing Addendum, incorporated herein by reference and attached hereto as Exhibit A.

6.4 Customer Data Transfers. We and our Affiliates may transfer Customer Data (including Personal Data) to the United States in connection with the Service and in accordance with Exhibit A. To the extent we process Personal Data from the European Economic Area, the United Kingdom and/or Switzerland, or Personal Data that is subject to the protection of European data protection laws, PhishingBox agrees to abide by and process EU Data in compliance with the SCCs in the form set out in Annex C of our SCC document.

6.5 Retention, Deletion and Retrieval of Customer Data. For active accounts, we will retain all data within our system unless such data is deleted by Customer. For data that is deleted by Customer, such data may remain on backup or archivable media for some time. For inactive accounts, data may be removed after a period of inactivity.

7. INTELLECTUAL PROPERTY

7.1 PhishingBox retains all right, title, and interest, including all intellectual property rights therein, in and to the Service, PhishingBox Content, and our trademarks (including, but not limited to, those listed at phishingbox.com/trademarks, which we may update at any time without notice to you). With respect to Third-Party Products, the applicable third-party providers own all right, title, and interest, including all intellectual property rights therein, in and to the Third-Party Products. Customer has no right, license, or authorization with respect to any of the Service and PhishingBox Content except as expressly set forth in Section 7.3 or the applicable third-party license. All other rights in and to the Service and PhishingBox Content are expressly reserved by PhishingBox.

7.2 As between Customer and PhishingBox, Customer is and will remain the sole and exclusive owner of all right, title, and interest in and to all Customer Data and Customer Materials, including all intellectual property rights relating thereto, subject to the rights and permissions granted in this Agreement. Customer hereby irrevocably grants all such rights and permissions in or relating to Customer Data as are necessary or useful to PhishingBox to enforce this Agreement and enforce PhishingBox’s rights and perform PhishingBox’s obligations hereunder. For the avoidance of doubt, Customer Materials will be treated as confidential and will not be shared by us with anyone except as directed by you.

7.3 Subject to and conditioned on Customer’s and its Users’ compliance with the terms and conditions of this Agreement, as well as the PhishingBox Terms of Use, available at [www.phishingbox.com/TermsofUse] and incorporated herein by reference, PhishingBox hereby grants to Customer a non-exclusive, non-transferable (except in compliance with Section 12.13) right to access and use the Service during the Subscription Term, solely for use by Users in accordance with the terms and conditions herein. Such use is limited to Customer’s internal use.

7.4 You agree not to copy, rent, lease, sell, distribute, or create derivative works based on PhishingBox Content, the Service, or our trademarks, in whole or in part, by any means, except as expressly authorized in writing by us. Notwithstanding the foregoing, you may use our trademarks for promotional purposes to identify yourself as a customer of the Services, provided you do not attempt to claim any ownership of the marks by incorporating any of them within your names or offerings and you abide by the guidelines outlined in phishingbox.com/company/branding.

7.5 To the extent you or your Users provide or disclose to PhishingBox any recommendations, suggestions for improvement, or ideas for use of the Service, PhishingBox Content, or otherwise in connection with this Agreement (collectively, “Feedback”), you hereby grant to PhishingBox a perpetual, irrevocable, worldwide, and royalty-free license, but not the obligation, to use and exploit such Feedback for any and all purposes without attribution to you.

7.6 You represent and warrant that you own or have permission to use all intellectual property rights in the Customer Data, Customer Materials, and Feedback. We are not responsible or liable to you or to any third party for the content or accuracy of Customer Data, Customer Materials, or Feedback. We do not control the communications, information or files uploaded by Users on the Service. PhishingBox has no obligation to monitor any areas of the Service through which Users can post Customer Materials. However, at any time we may screen, edit, move, delete, and/or refuse to accept any Customer Materials (from you or other customers) that in our judgment violate these terms or are otherwise objectionable, whether for legal or other reasons. This may include removing any content from the Service at any time, and we will not be liable for that removal.

8. CONFIDENTIALITY

__________________________________________________

8.1 The Receiving Party will: (i) protect the confidentiality of the Confidential Information of the Disclosing Party using the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind, but in no event less than reasonable care, (ii) not use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, (iii) not disclose Confidential Information of the Disclosing Party to any third party (except those third party service providers used by us to provide some or all elements of the Service or Professional Services and except for any Solutions Provider bound by confidentiality obligations), and (iv) limit access to Confidential Information of the Disclosing Party to those of its and its affiliates' employees, contractors and agents who need such access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those herein.

8.2 The Receiving Party may disclose Confidential Information of the Disclosing Party if required to do so under any federal, state, or local law, statute, rule or regulation, subpoena or legal process; provided, however, that (i) the Receiving Party will provide the Disclosing Party with prompt notice of any request that it disclose Confidential Information, sufficient to allow the Disclosing Party to object to the request and/or seek an appropriate protective order or, if such notice is prohibited by law, the Receiving Party will disclose the minimum amount of Confidential Information required to be disclosed under the applicable legal mandate; and (ii) in no event will the Receiving Party disclose Confidential Information to a party other than a government agency except under a valid order from a court having jurisdiction requiring the specific disclosure.

9. PUBLICITY

__________________________________________________

You grant us the right to add your name and company logo to our customer list and website. You can opt-out of this by notifying us at support@phishingbox.com.

10. INDEMNIFICATION

__________________________________________________

You will indemnify, defend and hold us and our Affiliates harmless, at your expense, against any third-party claim, suit, action, or proceeding (each, an "Action") brought against us (and our officers, directors, employees, agents, service providers, licensors, and affiliates) by a third party not affiliated with us or our Affiliates to the extent that such Action is based upon or arises out of:

(i) unauthorized or illegal use of the Service by you, Users, or your Affiliates;

(ii) you, Users, or your Affiliates' noncompliance with or breach of this Agreement;

(iii) your, Users’, or your Affiliates’ submission of Customer Data or Customer Materials, or any use we or our customers make of it that is consistent with this Agreement;

(iv) you, Users, or your Affiliates' use of Third-Party Products; or

(v) the unauthorized use of the Service by any other person using your User information.

We will: notify you in writing within thirty (30) days of our becoming aware of any such claim; give you sole control of the defense or settlement of such a claim; and provide you (at your expense) with information and assistance reasonably requested by you to handle the defense or settlement of the claim. You will not accept any settlement that (a) imposes an obligation on us; (b) requires us to make an admission; or (c) imposes liability not covered by these indemnifications or places restrictions on us without our prior written consent.

We will indemnify, defend and hold you harmless, at our expense, against any Action brought against you by a third party not affiliated with you to the extent that such Action is based upon or arises out of an allegation that the Service violates, infringes, or misappropriates any third-party copyright, trade secret, trademark, patent, or other intellectual property rights. You will notify us in writing within thirty (30) days of your becoming aware of any such claim; give us sole control of the defense or settlement of such claim; and provide us with information and assistance requested by us to handle the defense or settlement of the claim.

11. DISCLAIMERS; LIMITATIONS OF LIABILITY

__________________________________________________

11.1 Disclaimer of Warranties. WITHOUT LIMITING OUR OBLIGATIONS IN SECTION 6 (CUSTOMER DATA) OF THIS AGREEMENT, WE MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY, AVAILABILITY, TIMELINESS, SECURITY, NON-INFRINGING CHARACTER OR ACCURACY OF THE SERVICE, DATA MADE AVAILABLE FROM THE SERVICE, PHISHINGBOX CONTENT, OR THE PROFESSIONAL SERVICES FOR ANY PURPOSE. APPLICATION PROGRAMMING INTERFACES (APIs) MAY NOT BE AVAILABLE AT ALL TIMES. TO THE EXTENT PERMITTED BY LAW, THE SERVICE, PHISHINGBOX CONTENT AND PROFESSIONAL SERVICES ARE PROVIDED "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND. WE DISCLAIM ALL WARRANTIES AND CONDITIONS OF ANY KIND, WHETHER EXPRESS, IMPLIED OR STATUTORY, WITH REGARD TO THE SERVICE AND THE PROFESSIONAL SERVICES, INCLUDING ALL IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.

11.2 No Indirect Damages. TO THE EXTENT PERMITTED BY LAW, IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, OR LOSS OF PROFITS, REVENUE, DATA OR BUSINESS OPPORTUNITIES ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY.

11.3 Limitation of Liability. EXCEPT FOR LIABILITY ARISING FROM YOUR OBLIGATIONS UNDER SECTION 10 (INDEMNIFICATION), AND YOUR LIABILITY FOR VIOLATION OF OUR INTELLECTUAL PROPERTY RIGHTS, IF, NOTWITHSTANDING THE OTHER TERMS OF THIS AGREEMENT, EITHER PARTY OR ITS AFFILIATES IS DETERMINED TO HAVE ANY LIABILITY TO THE OTHER PARTY, THE PARTIES AGREE THAT THE AGGREGATE LIABILITY OF A PARTY WILL BE LIMITED TO A SUM EQUAL TO THE TOTAL AMOUNTS PAID OR PAYABLE FOR THE SERVICE IN THE TWELVE MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO A CLAIM. HOWEVER, THIS LIMITATION WILL NOT APPLY IF YOU ONLY USE THE FREE SERVICES, IN WHICH CASE, IF WE ARE DETERMINED TO HAVE ANY LIABILITY TO YOU, OUR AGGREGATE LIABILITY WILL BE LIMITED TO ONE HUNDRED U.S. DOLLARS ($100.00).

11.4 Third Party Products. WE DISCLAIM ALL LIABILITY WITH RESPECT TO THIRD-PARTY PRODUCTS THAT YOU USE. OUR LICENSORS WILL HAVE NO LIABILITY OF ANY KIND UNDER THIS AGREEMENT.

11.5 Agreement to Liability Limit. YOU UNDERSTAND AND AGREE THAT ABSENT YOUR AGREEMENT TO THIS LIMITATION OF LIABILITY, WE WOULD NOT PROVIDE THE SERVICE TO YOU.

12. MISCELLANEOUS

__________________________________________________

12.1 Amendment; No Waiver. We may modify any part or all of the Agreement by posting a revised version at phishingbox.com/SubscriptionTerms. The revised version will become effective and binding the next business day after it is posted. We will provide you notice of this revision by email or in-app notification.

If you do not agree with a modification to the Agreement, you must notify us in writing within thirty (30) days after we send notice of the revision. If you give us this notice, then your subscription will continue to be governed by the terms and conditions of the Agreement prior to modification until your next renewal date, after which the current terms posted at phishingbox.com/terms will apply. However, if we can no longer reasonably provide the subscription to you under the terms prior to modification (for example, if the modifications are required by law or result from general product changes), then the Agreement and/or affected Services will terminate upon our notice to you and we will promptly refund any prepaid but unused Fees covering use of the Service after termination.

No delay in exercising any right or remedy or failure to object will be a waiver of such right or remedy or any other right or remedy. A waiver on one occasion will not be a waiver of any right or remedy on any future occasion.

12.2 Force Majeure. Neither party will be responsible for failure or delay of performance, except for payment obligations, if caused by: an act of war, hostility, or sabotage; act of God; electrical, internet, or telecommunication outage that is not caused by the obligated party; pandemic; government restrictions; or other event outside the reasonable control of the obligated party. Each party will use reasonable efforts to mitigate the effect of a force majeure event.

12.3 Actions Permitted. Except for actions for nonpayment or breach of a party’s proprietary rights, no action, regardless of form, arising out of or relating to this Agreement may be brought by you more than one (1) year after the cause of action has occurred.

12.4 Relationship of the Parties. You and we agree that no joint venture, partnership, employment, or agency relationship exists between us, and neither party has any authority of any kind to bind the other party in any respect whatsoever.

12.5 Third Party Products. Third-Party Products are not under our control. Third-Party Products are provided to you only as a convenience, and the availability of any Third-Party Product does not mean we endorse, support or warrant the Third-Party Product.

12.6 Compliance with Laws. We will comply with all U.S. state and federal laws (where applicable) in our provision of the Service, the Professional Services, and our processing of Customer Data. We reserve the right at all times to disclose any information as necessary to satisfy any law, regulation, legal process or governmental request.

You will comply with all laws in your use of the Service and Consulting Services, including any applicable export laws.

You will not use the Service if you are subject to, or provide the Service to anyone else who is subject to, the sanctions programs administered by the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury in your use and receipt of the Service and Professional Services.

You will not directly or indirectly export, re-export, or transfer the Service or Professional Services to prohibited countries or individuals or permit use of the Service or Professional Services by prohibited countries or individuals. You will NOT use the Service if you are legally prohibited from receiving or using the Service under the laws of the country in which you are located or from which you access or use the Service.

12.7 Severability. If any part of this Agreement or an Order is determined to be invalid or unenforceable by applicable law, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of this Agreement will continue in effect.

12.8 Arbitration.

(i) We each agree to first contact each other with any disputes and provide a written description of the problem, all relevant documents/information, and the proposed resolution. You agree to contact us with disputes by contacting us at PhishingBox LLC, ATTN: CFO, 400 East Vine Street, Suite 301, Lexington, KY 40507. We will contact you based on the contact information you have provided us.

(ii) If after 30 days the parties are unable to resolve any dispute raised under the previous provision, the dispute may only be submitted to arbitration consistent with this Section. The parties understand that they would have had a right or opportunity to litigate disputes through a court and to have a judge or jury decide their case, but they choose to have any disputes resolved through arbitration.

(iii) We each agree that any claim or dispute between us, and any claim by either of us against any agent, employee, successor, or assign of the other, including, to the full extent permitted by applicable law, third parties who are not parties to this agreement, whether related to this agreement or otherwise, including past, present, and future claims and disputes, and including any dispute as to the validity or applicability of this arbitration clause, shall be resolved by binding arbitration administered by the JAMS under its rules and procedures in effect when the claim is filed. The rules and procedures and other information, including information on fees, may be obtained from JAMS’ website (jamsadr.com) or by calling JAMS at 949-224-1810.

(iv) We are entering into this arbitration agreement in connection with a transaction involving interstate commerce. Accordingly, this arbitration agreement and any proceedings thereunder shall be governed by the Federal Arbitration Act (“FAA”), 9 U.S.C. §§ 1-16. Any award by the arbitrator(s) may be entered as a judgment in any court having jurisdiction.

12.9 Notices. Each party giving or making any notice, request, demand, or other communication required or permitted by this agreement shall give that notice in writing. Except as otherwise expressly provided in this Agreement, all notices will only be deemed given and effective: (i) if personally delivered, upon delivery; (ii) if sent by registered or certified mail or overnight courier service with tracking capabilities, upon receipt; and (iii) if sent by electronic mail (without indication of delivery failure), at such time as the party that sent the notice receives confirmation of receipt, whether by read-receipt confirmation or otherwise.

For Customer: The address maintained with the PhishingBox system for any administrator level user.

For PhishingBox:

PhishingBox LLC
400 East Vine Street, Suite 301
Lexington, KY 40507
support@phishingbox.com

12.10 Language. All communications and notices to be made or given pursuant to this Agreement shall be in the English language. We might make versions of this Agreement available in languages other than English. If we do, the English version of this Agreement will govern our relationship, and the translated version is provided for convenience only and will not be interpreted to modify the English version of this Agreement.

12.11 Entire Agreement. This Agreement (including each Order and all exhibits), along with our Privacy Policy at phishingbox.com/privacy-policy and our Terms of Use at phishingbox.com/TermsofUse is the entire agreement between us for the Service and Professional Services and supersedes all other proposals and agreements, whether electronic, oral or written, between us. Our obligations are not contingent on the delivery of any future functionality or features of the Service or dependent on any oral or written public comments made by us regarding future functionality or features of the Service.

12.12 Purchase Orders. We object to and reject any additional or different terms proposed by you, including those contained in your purchase order, acceptance, or website.

12.13 Assignment. You will not assign or transfer this Agreement without our prior written consent, except that you may assign this Agreement to a successor by reason of merger, reorganization, sale of all or substantially all of your assets, change of control or operation of law, provided such successor is not a competitor of ours. We may assign this Agreement to an Affiliate, or in the event of a merger, reorganization, sale of all or substantially all of our assets, change of control or operation of law.

12.14 No Third-Party Beneficiaries. Nothing in this Agreement, express or implied, is intended to or will confer upon any third-party person or entity any right, benefit or remedy of any nature whatsoever under or by reason of this Agreement.

12.15 Contract for Services. This Agreement is a contract for the provision of services and not a contract for the sale of goods. The provisions of the Uniform Commercial Code (UCC), the Uniform Computer Information Transaction Act (UCITA), or any substantially similar legislation as may be enacted, will not apply to this Agreement. If you are located outside of the territory of the United States, the parties agree that the United Nations Convention on Contracts for the International Sale of Goods will not govern this Agreement or the rights and obligations of the parties under this Agreement.

12.16 Governing Law. This Agreement is governed by the laws of the United States and the Commonwealth of Kentucky, without reference to conflict of laws principles. Any legal proceedings against PhishingBox that may arise out of, relate to, or be in any way connected with our Service or this Agreement shall be brought exclusively in the state or federal courts applicable to Lexington, Kentucky, and you waive any jurisdictional, venue, or inconvenient forum objections to such courts.

12.17 Authority. Each party represents and warrants to the other that it has full power and authority to enter into this Agreement and that it is binding upon such party and enforceable in accordance with its terms. Each party further warrants and represents that it has the authority to secure its Affiliates’ compliance with the terms of this Agreement and that its Order signatory, account creator, or Service user is a duly authorized representative of such party and has the requisite power and authority to bind such party to this Agreement.

12.18 Survival. The following sections will survive the expiration or termination of this Agreement: Section 2 (Definitions), Section 5.6 (Effect of Termination or Expiration), Section 6 (Customer Data), Section 7 (Intellectual Property), Section 8 (Confidentiality), Section 9 (Publicity), Section 10 (Indemnification), Section 11 (Disclaimers; Limitations of Liability), and Section 12 (Miscellaneous).

12.19 Precedence. In the event of a conflict or inconsistency among the following documents, the order of precedence will be, to the extent of such conflict or inconsistency: (i) the latest Order, (ii) the exhibits to this Agreement, (iii) the provisions of this Agreement, and (iv) any otherwise incorporated terms.

12.20 Anti-Bribery.

12.20.1 PhishingBox shall not pay any fee, commission, rebate, or other value to or for the benefit of any governmental official having jurisdiction over the Services, if such payment would be inconsistent with or penalized by the laws and regulations of the United States.

12.20.2 PhishingBox and Customer each agree and undertake to the other that in connection with this Agreement and the transactions contemplated by this Agreement, they will each respectively comply with all applicable laws, rules, regulations, decrees and/or official governmental orders of the United States relating to anti-bribery and anti-money laundering.

12.20.3 PhishingBox agrees, undertakes and confirms that to its knowledge its employees, officers, directors, agents, representatives, and subcontractors have not, in connection with the transactions contemplated by this Agreement or in connection with any other business transactions involving the Customer made, offered or promised to make, and will not make, offer, or promise to make, any payment or other transfer of anything of value, including without limitation the provision of any service, gift or entertainment, directly or indirectly to: (i) any government official (including directors, officers and employees of government-owned and government-controlled companies and public international organizations); (ii) any director, officer, employee representative or agent of the Customer; (iii) any political party, official of a political party, or candidate for public office; (iv) an agent or intermediary for payment to any of the foregoing; or (v) any other person or entity for the purpose of obtaining or influencing the award of or carrying out this Agreement, if, and to the extent that to do so is or would be in violation of or inconsistent with the anti-bribery or anti-money laundering laws of any relevant jurisdiction, including, without limitation, the U.S. Foreign Corrupt Practices Act, and, if applicable, the U.K. Anti-Terrorism, Crime and Security Act 2001 and successor legislation, the applicable country legislation implementing the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions.

For the purpose of this Section 12.20, the term "government official" shall mean (i) any director, officer, employee, agent, or representative (including anyone elected, nominated, or appointed to be a director, officer, employee, agent, or representative) of any government or anyone otherwise acting in an official capacity on behalf of a government; (ii) any political party, political party official, or political party employee; (iii) any candidate for public or political office; (iv) any royal or ruling family member; (v) any enterprise in which a government owns an interest; (vi) any public international organization; or (vii) any agent or representative of any of those persons listed in subcategories (i) through (vi).

12.20.4 PhishingBox agrees and undertakes that, in connection with this Agreement, and in connection with any other business transactions involving Customer in the United States and United Kingdom, if applicable, PhishingBox and its Affiliates have and will apply effective disclosure controls and procedures; have and will maintain books, records, and accounts which, in reasonable detail, accurately and fairly reflect the transactions undertaken and the disposition of assets; and have and will maintain an internal accounting controls system that is sufficient to ensure the proper authorization, recording and reporting of all transactions and to provide reasonable assurance that violations of the anticorruption laws of the applicable jurisdictions will be prevented, detected and deterred.

12.20.5 In the event that Customer has any basis for a good faith belief that PhishingBox may not be in compliance with the undertakings and/or requirements set forth in this Section 12.20, Customer shall advise PhishingBox in writing of its good faith belief, and PhishingBox shall cooperate fully with any and all inquiries undertaken by or on behalf of Customer in connection therewith, including the provision by PhishingBox of personnel and supporting documents and affidavits if reasonably deemed necessary by Customer.

12.20.6 Subject to the requirements of this Section 12.20 and without prejudice to any other rights or remedies Customer may have hereunder or at law (including, as applicable, the right to damages for breach of Agreement), Customer shall have the right to terminate this Agreement with immediate effect if Customer reasonably believes in good faith that any of the foregoing agreements, undertakings or requirements set forth in this Section 12.20 have not been complied with or fulfilled by PhishingBox; PROVIDED, HOWEVER, that Customer shall have provided PhishingBox with written notice of its intention to terminate the Agreement under the provisions of this Section 12.20, together with a summary of the reasons therefore, and that PhishingBox has been unable within five (5) business days of delivery of such notice to provide Customer with evidence that demonstrates, to Customer’s reasonable satisfaction, that PhishingBox has not failed to comply with or fulfill any of the foregoing agreements, undertakings or requirements.

Exhibit A

Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service agreed to by the parties PhishingBox, LLC (“PhisingBox”) and the Customer as defined therein (“Customer”) (the “Agreement”). Except where separately defined in this Addendum, capitalized terms will have the meaning set out in the Agreement. To the extent this Data Processing Addendum (“DPA”) conflicts with any provisions in the Agreement, this DPA shall control.

1. Definitions. The following definitions apply in this Addendum:

1.1. “Breach” means the unauthorized disclosure, acquisition of, or access to, Personal Information that does or may compromise the security, confidentiality and/or integrity of the Personal Information.

1.2. “Breach Subject” means an individual whose Personal Information has been, or is believed to have been, disclosed, acquired, and/or accessed as a part of a Breach.

1.3. “Business Purpose” means the provision of products and/or services by PhishingBox for and/or on behalf of Customer as contemplated by the Agreement and as more specifically described in Section 7.

1.4. “Event Assistance” means, in connection with any Breach or Privacy Claim: (a) assisting with any investigation thereof; (b) providing physical access to any facilities and operations affected thereby; (c) facilitating interviews with the PhishingBox’s personnel, former personnel, and others involved therein; and (d) making available all relevant records, logs, files, data reporting, and other materials reasonably requested by Customer in connection therewith.

1.5. “Notification Parties” means Breach Subjects, governmental authorities and/or media outlets.

1.6. “Personal Information” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, an online identifier or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity. Without limiting the foregoing, Personal Information shall also mean any information or data the relevant Privacy and Data Protection Requirements otherwise define as protected personal information (by any definition).

1.7. “Privacy and Data Protection Requirements” means all applicable laws and regulations relating to the privacy or security of the Personal Information, including, without limitation, where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction, including, without limitation, the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”) (collectively, “California Privacy Law”), the UK Data Protection Act of 2018 (the “UK GDPR”), the EU’s General Data Protection Regulation 2016/679 (“GDPR”), and the Swiss Federal Act on Data Protection (“FADP”), and any other jurisdictional laws regarding processing or cross-border transfers of Personal Information.

1.8. “Privacy Claim” means any complaint, notice, or communication from a consumer or other individual or any of the Notification Parties that directly or indirectly relates to either party’s compliance with the Privacy and Data Protection Requirements.

1.9. “Processing” means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.

2. General Terms. As between PhishingBox and Customer, Customer will be considered the owner or “Controller” of the Personal Information and PhishingBox shall be the “Processor”. All intellectual property rights in the Personal Information shall remain with Customer. Customer has the necessary lawful basis to process the Personal Information as set forth in the applicable Privacy and Data Protection Requirements. PhishingBox will treat the Personal Information as the Confidential Information of Customer, and nothing in this Addendum will operate as an obstacle to Customer’s right to access or exercise control over the Personal Information. Customer hereby instructs PhishingBox to process the Personal Information provided to PhishingBox (or collected by PhishingBox for the benefit of Customer) by and on behalf of Customer solely as needed to provide the services contemplated under the Agreement, and as more fully specified in the attached Appendix 1, Summary of Personal Information Processing, which is fully incorporated herein.

3. PhishingBox will:

3.1. process the Personal Information only on documented instructions from Customer and agrees to only transfer Personal Information to a third country or an international organization after receiving written approval from Customer, unless otherwise required to do so by law to which PhishingBox is subject; in such a case, PhishingBox will inform Customer of that legal requirement before processing or transferring, unless prohibited by law;

3.2. require that persons authorized to process Personal Information under the Agreement are subject to appropriate confidentiality and information security obligations;

3.3. not utilize the services of a subprocessor without the written consent of Customer, and in the event of receiving such consent, will impose substantially the same data protection obligations as set out in this Addendum and the applicable Privacy and Data Protection Requirements on any subprocessor by written contract, which written contract will provide sufficient guarantees that the subprocessor will implement appropriate technical and organizational measures in such a manner that the Processing by such subprocessor will meet the requirements of the applicable Privacy and Data Protection Requirements. In the event that PhishingBox utilizes a subprocessor, PhishingBox agrees that it shall remain liable to Customer for all Processing performed by the subprocessor;

3.4. assist Customer through appropriate technical and organizational measures, considering the nature of the processing, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject’s rights under the applicable Privacy and Data Protection Requirements;

3.5. assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR/UK GDPR and/or the corresponding obligations under the Privacy and Data Protection Requirements, as applicable, considering the nature of processing and the information available to the PhishingBox, which will be done on reasonable request;

3.6. maintain records of Processing activities as required by the Privacy and Data Protection Requirements;

3.7. after the completion of the Business Purpose for an item of Personal Information, upon written request from Customer, PhishingBox shall delete or return all Personal Information to Customer, and to the extent applicable, shall delete existing copies unless the applicable Privacy and Data Protection Requirements requires storage of the Personal Information;

3.8. make available to Customer, upon no less than thirty (30) days prior written notice, all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR/UK GDPR and/or the applicable Privacy and Data Protection Requirements; and

3.9. notify Customer if PhishingBox believes any Processing required under the Agreement is contrary to Customer’s instructions or that allowed under the Privacy and Data Protection Requirements.

4. Standard Contractual Clauses.

4.1. In the event that, pursuant to the Agreement or provision of services thereunder, PhishingBox or any of PhishingBox’s affiliates or contractors, collects, uses, stores or in any other way processes Personal Information of individuals residing in the UK, the European Union, or Switzerland, and PhishingBox intends to or may transfer, access or use such Personal Information outside of the UK, the European Union, or Switzerland, PhishingBox and each applicable affiliate and contractor will execute the SCCs, available through our Trust Center at phishingbox.com/resources/trust-center/gdpr.

4.2 If the completion of the SCCs is necessary pursuant to Section 4.1, the parties agree as follows:

(a) In relation to Personal Information protected by the GDPR, the SCCs will be completed and entered;

(b) In relation to Personal Information protected by the UK GDPR:

(i) The SCCs shall be completed and entered pursuant to Section 4.2(a); and

(ii) The International Data Transfer Addendum shall be completed and entered and the SCCs shall be deemed amended as specified by Part 2 of the International Data Transfer Addendum.

(i) The Swiss Federal Data Protection and Information Commissioner shall be the exclusive supervisory authority;

(ii) The term “member state” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18; and

(iii) References to the GDPR in the SCCs shall also include reference to the equivalent provision from the FADP.

5. Security Measures.

PhishingBox represents and warrants that it adheres to the SOC II standard. PhishingBox shall also comply with any specific measures required by Privacy and Data Protection Requirements. These measures shall include:

5.1 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

5.2 the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident; and

5.3 a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

6. Right to Audit. PhishingBox will adopt and maintain policies to demonstrate compliance with this Addendum and the Privacy and Data Protection Requirements. At least once per year, or upon reasonable request by Customer after a Breach or Privacy Claim, PhishingBox will allow and cooperate with a reasonable audit of PhishingBox’s compliance. In the alternative, PhishingBox may arrange for a qualified and independent auditor to conduct an audit of PhishingBox’s compliance which audit shall use an appropriate and accepted control standard or framework/procedure. PhishingBox shall provide a report of such audit to Customer upon Customer’s request.

7. Compliance with California Privacy Law

7.1. PhishingBox agrees that it will only Process the Personal Information for the limited and specific Business Purpose contemplated in the Agreement, namely to provide the Service to Customer. The Business Purpose includes troubleshooting and general maintenance of the Service; delivering emails, training, or landing pages to Customer’s intended recipients; and otherwise as directed by Customer or as reasonably necessary to otherwise provide the Service to Customer.

7.2. PhishingBox further agrees:

(a) It shall comply with all applicable obligations under California Privacy Law and provide the same level of privacy protections as required by California Privacy Law.

(b) Customer has the right to take reasonable and appropriate steps to ensure that PhishingBox uses the Personal Information in a manner consistent with Customer’s obligations under California Privacy Law.

(c) It shall notify Customer if PhishingBox makes a determination that it can no longer meet its obligations under California Privacy Law.

(d) Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

(e) PhishingBox will cooperate with Customer in responding to and complying with consumer requests, and Customer will provide PhishingBox with information necessary for PhishingBox to comply with the requests. Alternatively, PhishingBox may enable Customer through its technology to comply with the requests.

7.3. PhishingBox agrees that it shall not:

(a) Sell or share the Personal Information.

(b) Retain, use, or disclose the Personal Information for any purpose other than the Business Purpose.

(d) Retain, use, or disclose the Personal Information outside the direct business relationship between Customer and PhishingBox.

(e) Combine the Personal Information with other personal information that PhishingBox has or receives on behalf of another person.

8. Breach Notifications.

8.1. Within one (1) day of a Breach first becoming known to PhishingBox, PhishingBox will notify Customer by an email to the contact information provided on the latest Order or, if there is no Order, via Customer’s account. The email shall contain a summary of all facts then known about the Breach.

8.2. In no case later than two (2) days after the date upon on which a Breach first becomes known to PhishingBox, PhishingBox will provide Customer with a more-detailed notification than that required by Section 8.1, again by email to the contact information provided on the latest Order, containing at least the following information, except to the extent to which the same cannot be discovered through reasonable efforts within such timeframe: (a) the identification and address of each Breach Subject; (b) a brief description of what happened, including, without limitation, the date of the Breach and the date of the discovery of the Breach; (c) a description of the types of Personal Information that were involved in the Breach; (d) a detailed list of all steps that Breach Subjects should take to protect themselves from potential harm that will or may result from the Breach; (e) a brief description of what PhishingBox is doing to investigate the Breach, mitigate the harm to Breach Subjects, and protect against further Breaches; (f) a brief description of what PhishingBox plans to do in the immediate future to further investigate the Breach, mitigate the harm to Breach Subjects, and protect against further Breaches; and (g) complete contact information for a management-level person at PhishingBox for further communications with Customer regarding the Breach.

9. Breach Updates. PhishingBox will promptly notify Customer by email to the contact information provided on the latest Order with updates of the items specified in Section 8.2 when PhishingBox becomes aware of further information relating to the Breach.

10. Communications. Unless required by the Privacy and Data Protection Requirements, and then only to the extent so required, PhishingBox will not inform any third party, including, without limitation, any Notification Parties, of any Breach without first obtaining the prior express and unambiguous consent of Customer. PhishingBox acknowledges and agrees that Customer has and will have the sole right to determine: (a) whether to provide notice of any Breach to any of the Notification Parties, as required by law or regulation or in Customer’s discretion, including, without limitation, the contents and delivery method thereof; and (b) whether to offer any type of remedy, and the nature and extent of any such remedy, to Breach Subjects.

11. Breach Response and Mitigation. In the event of any Breach, PhishingBox will: (a) provide Event Assistance to Customer and take all reasonable measures, and cooperate with Customer in its taking of any reasonable measures, to remedy actual harm and minimize potential harm to Personal Information and/or any Breach Subject(s) and prevent future occurrences similar to such Breach; and (b) neither make any public statements nor notify any Notification Parties with respect to such Breach, except those that have been expressly and unambiguously agreed to by Customer, unless required otherwise by the Privacy and Data Protection Requirements, and then only to the extent so required.

12. Costs of Breach Notification. In addition to PhishingBox’s indemnity obligations in the Agreement, in the event of any Breach, PhishingBox will, at its sole expense, indemnify, defend and hold harmless Customer and its Affiliates, sublicensees, representatives, agents, members, shareholders, managers, directors, officers, employees and customers (including, without limitation, any customer who is a Breach Subject) from and against any and all costs incurred by any of them to: (a) provide notifications to any of the Notification Parties; (b) provide remedies required under the Privacy and Data Protection Requirements, including, without limitation, credit monitoring for Breach Subjects; and (c) remedy actual harm and minimize potential harm to Personal Data and/or any Breach Subject.

13. Notice of Privacy Claims. If PhishingBox receives a Privacy Claim, PhishingBox will promptly, and in no case later than one (1) day after the date upon on which Privacy Claim is first received by PhishingBox, notify Customer by email at the contact information provided in the latest Order. After such notice to Customer, PhishingBox will: (a) provide Event Assistance to Customer and take all reasonable measures, and cooperate with Customer in its taking of reasonable measures, to address such Privacy Claim; and (b) neither make any public statements nor notify any third party or government authorities with respect to such Privacy Claim, except those that have been expressly and unambiguously agreed to by Customer, unless required otherwise by the Privacy and Data Protection Requirements, and then only to the extent so required.

14. Compliance and Indemnification. PhishingBox’s failure to comply with this Addendum will be deemed a material breach of the Agreement. Nothing in this Addendum relieves PhishingBox of its direct responsibilities and liabilities under the Privacy and Data Protection Requirements. Notwithstanding any termination of the Agreement, PhishingBox’s obligations under this Addendum will remain in effect so long as PhishingBox retains access to or possession of any Personal Information. PhishingBox agrees to indemnify, keep indemnified and defend at its own expense Customer against all costs, claims, damages, or expenses incurred by Customer or for which Customer may become liable due to any failure by the PhishingBox or its employees, subcontractors, or agents to comply with any of its obligations under the Addendum and/or the Privacy and Data Protection Requirements. Any limitation of liability set forth in the Agreement will not apply to this Addendum’s indemnity or reimbursement obligations.

15. Miscellaneous. This Addendum is subject to the terms of the Agreement. Notwithstanding anything to the contrary in the Agreement, to the extent that the terms of the Agreement conflict or are inconsistent with those of this Addendum, the terms of this Addendum will control to the extent of such conflict or inconsistency.

Appendix 1

Summary of Personal Information Processing

1	Subject matter of the processing	Processing as necessary to provide the Service to Customer pursuant to the Subscription Terms of Service
2	Duration	The Subscription Terms of Service term duration
3	Nature and Purpose of the processing	To allow Customer to use PhishingBox’s phishing training and awareness services and fulfill the Business Purpose
4	Types of Personal Information processed	Full name and email address
5	Categories of Data Subjects in relation to Personal Information Processed	Customer employees and contractors